Secure Programming

viega writes "Matt Messier and I have just launched a secure programming web site. While this site does support our new book The Secure Programming Cookbook for C and C++ , it also serves as a thorough resource for developers. It has numerous links to articles and other topical resources, new recipes that demonstrate secure programming techniques a large glossary and the obligatory web log. We accept outside submissions, and will reward the best recipe submission each month-- O'Reilly will publish it on the O'Reilly Network web site and will give the author a free book. There's already a decent amount of new content, including recipes on avoiding malloc()/new-related integer overflows, watching out for security problems in API differences and issues when truncating data. There's also an RSS feed for the web log."

Run-on sentence time

Ten bucks says that this endeavor will go widely unnoticed by 90% of developers. Now I'm just a lowly IT worker, managing web servers and crawling under desks, but I do know that 95% of the developers in corporate America do not read Slashdot, and 95% of the ones that do are so intimately involved with Microsoft or Microsoft dependant technologies that this book/article/section/endeavor won't mean a damn. And before the trolls bark: YES, Microsoft = less security in development. Not by design - hardly - but rather because if a developer is working on a project that is Microsoft centric from the ground up, he/she is likely working on a time table set by some PHB a hundred miles away, and has been working on such projects for years, and has long since given up on making good, secure code, and rather coding whatever keeps his/her salary.

Once you have worked 50 hours a week in a corporate setting for 5 years as a developer (2 years) and a run-of-the-mill network/system/any-god-damn-thing-they-can-get-you -to administer(4 years, you will understand.

Re:Run-on sentence time

Ten bucks says that this endeavor will go widely unnoticed by 90% of developers.

Sadly, you may be right.

95% of the ones that do are so intimately involved with Microsoft or Microsoft dependant technologies that this book/article/section/endeavor won't mean a damn.

What?! It is precisely because of the flaws of most modern operating systems that do not protect you from sloppy programming, that programmers need to be aware of secure programming methods. It's not just Windows either; Unix/Linux does not protect a programmer from, say, buffer overruns either. All programmers need to be aware of such flaws, and work around them.

Programming securely does not have to cost you a lot of time either. Take the SafeStr library mentioned on the website for instance... a string library that can be used as replacement for the standard C string functions, a notorious source of buffer overruns and bugs. Using this library instead of the standard functions will cost little or no extra time.

Programming securely is just like other good programming practices. Generally they do not cost extra time, they save time. It does take time to learn these practices, and that's where the responsibility of each programmer comes in. Take the time to learn good programming practices and get used to them, stay abreast of new developments, and above all train and encourage your junior team members to use these methods as well.

The team that fails to adhere to good programming practices will turn out unstable and insecure software. Where do you think the bugs in Microsoft products come from? Tight timelines? Perhaps... but a great many of the bugs I come across are generally the result of a sloppy programmer, tight deadlines or no.

Good idea

It's a good idea to have resources that are committed to security. Although some will claim that languages such as Java or C# prevent security issues, this is simply not true - there are many avenues to building security weaknesses... and those that think they're safe merely by using a particular programming language are in for a nasty surprise.

Of course, a web site and a few books won't prevent security issues - but the more it gets the word out about good programming practices, the better!

---
Herb Chambers - where my nightmare came true!

Re:Good idea

// Try hacking THIS, suckas!

ah, you think it's funny - but it's true! the more a program does, the greater its potential for security flaws. thus, frymaster's first rule of secure programming: "your program shall do no more than what is absolutely required by the spec-n-rec[1]".

1. you got a spec-n-rec from the client? lucky you!

Warding off the inevitable "switch to Java" commen

If you RTFA, or even just GATFA (glance at) you'll notice that the book has info on:

Random numbers

Input validation

Cryptography (e.g. ssh)

Buffer overruns are just one kind of problem you need to deal with when writing secure code. There are also DOS attacks and information theft. Even with Java, it can be quite challenging to ensure that data is properly encrypted and authenticated, and you still need to worry about permissions in the file system.

And let's not even dredge up the standard "why can't you just rewrite 100s of 1000s of lines of working C++ code in Java?" inanity.

Re:Warding off the inevitable "switch to Java" com

Tune in to Bugtraq some time to see a never-ending stream of web-app vulnerabilities. Most of these applications are not written in C.

Moral of the story: stupid programmers will be stupid in whatever language you give them.

I'd love to read the site, but ...

I won't given the color scheme.

We really need a different language

The most common security hole is a buffer overflow. OpenBSD is well regarded as one of the most secure systems in the world. It was extensively audited, yet it still had a remote root exploit. And what type of exploit was it? A buffer overflow!

Buffer overflows should not happen in the first place. In most languages, they are impossible. They happen because A) most code is written in C or C++, and B) everyone makes mistakes (even the finest open source developers overlook simple buffer overflows).

Microsoft is moving to languages with managed types. If they had been using managed types all along, the overwhelming majority of Microsoft security holes would have never happened. In a few years, Microsoft software will be more secure than anything Open Source has to offer.

Open Source developers, on the other hand, arrogantly believe that they are immune to mistakes. They somehow overlook the countless exploits discovered in their own code (more than 500 in Debian [linuxsecurity.com] over the past 4 years).

It is time for open source to wake up and start using better tools [jurun.org] and better practices.

Re:We really need a different language

Microsoft is moving to languages with managed types [...]overwhelming majority of Microsoft security holes would have never happened

Are you somehow recommending a kernel be written in something else than C??? Sure, not all systems software is kernel mode C, but you have to realize that unless the underlying infrastructure is built (on some low level language), you can't have high level languages... in other words, the bottom line is Assembly. You have to build your way to it.

Now that said, the buffer overflow isn't the only security hole in the world, in fact more security holes come from very very high level, very abstract programming fallacies... such as for example the cookie exploit (it's a logical bug) that Hotmail had a while back.

All this being said, I feel like a dirty karma whore right now (feeling the slimey breath of modders down my neck), so I'll say it right out: I'M PRO MICROSOFT.

<runs for cover>

Re:We already HAVE the different language.

It's called LISP.
(And before anyone says "... but you can't write a kernel in LISP!", there are several LISP Machines out there which beg to disagree with you.)

Yes, very true. "Several" is an excellent estimate of the number of LISP machines sold.

Re:We already HAVE the different language.

This is just silly - existing commercial lisps compile to machine code, same as c, or fortran, or ada, etc. Current lisp implementations run on stock hardware, on all the major platforms - Windows (XP,ME, NT, 9x, Dos), Linux (ix86, sparc, ppc), Mac OS X (and Classic), and various Unices.

OS kernels are not written in lisp because Unix was written in C, so everyone mistakenly believed that C was *the* language for OS kernel implementation. However, this is simply not so. Any language compiler that can generate machine code can be used to write an OS kernel.

Re:We really need a different language

They happen because A) most code is written in C or C++, and B) everyone makes mistakes (even the finest open source developers overlook simple buffer overflows).

That's not true. qmail [cr.yp.to] and djbdns [cr.yp.to] do not have security holes. They were written using secure coding techniques that make them immune to things like buffer overflows. You can't "overlook" a buffer overflow with stralloc [cr.yp.to].

Re:We really need a different language

qmail and djbdns do not have security holes.

Bah. That they do not have security holes is implausible, if not actually impossible, to prove. It's hard to even define what a security hole is; a changing threat model has "caused" many security holes. (Is an open relay a security hole? I say yes. Twenty years ago, everyone said no.) I doubt your statement. I can't point at a hole right now, but I have confidence that at least one security hole will eventually be discovered in those programs.

They were written using secure coding techniques that make them immune to things like buffer overflows. You can't "overlook" a buffer overflow with stralloc.

No, they make it easier to avoid buffer overflows. They don't prevent them: I quote from your hyperlink:

A stralloc structure has three components: sa.s is a pointer to the first byte of the string, or 0 if space is not allocated; sa.len is the number of bytes in the string, or undefined if space is not allocated; sa.a is the number of bytes allocated for the string, or undefined if space is not allocated. A stralloc variable should be initialized to {0}, meaning unallocated.

Applications are expected to use sa.s and sa.len directly.

If they use sa.s and sa.len directly, they can screw up and increase len inappropriately. The API seems good in that it makes it much harder to do things wrong, but it is hubris to say it makes you invulnerable. Besides, buffer overflows are possible for things other than strings, so this solves only (the most common) part of the problem. And there's still the legacy code that people can use without porting to stralloc.

It does seem like a good library if you're stuck using C. Another alternative is APR, which makes managing all sorts of memory allocations much easier. Pools are handy things when dealing with a language that primitive.

But there are languages in which it actually is impossible to have a buffer overflow. Please don't confuse the issue by saying that this (which makes it somewhat easier to avoid this error) makes the error impossible.

Re:We really need a different language

Now that you've got off your high pony, the problem is not necessarily the tools. As the site points out, buffer overflows can be avoided in C/C++. The whole point of the site is to try and improve coding practices.

And don't think that just because Microsoft is switching to managed types that they are all of a sudden going to fix bad coding practices. Sure it may reduce the effect of bad coding but it won't single handedly catapult Microsoft into security heaven.

Go back in your cave troll.

Re:We really need a different language

I would actually argue that the most common security problem in software systems is likely NOT the buffer overflow. Yes, the most common thing to see in places like bugtraq, etc. is the buffer overflow, but this is because people know how to find them and turn them into exploits ( and, the consequences are running code on a remote machine, which is pretty severe).

However, C and C++ are a fairly small part of the market these days, too. All the market data I've seen recently suggests that no more than 1/3 of commercial development is in one of these languages. It's probably less.

And, there are plenty of security problems that apply to all languages, such as problems in authentication systems that provide the attacker some kind of leverage (e.g., practical guessing attacks), other misuse of cryptography (e.g., misapplying SSL) and other generic input validation problems (e.g., SQL injection). These things come up in all languages, and are things people frequently get wrong.

Re:We really need a different language

I recommend Python.

Open source, expressive (very short code can achieve a lot), readable (very short expressive code is easily groked -- fewer bugs), no direct pointer manipulation (safe -- fewer bugs), integrates nicely with other languages, runs on a variety of platforms, very easy to learn.

Secure programming FAQ

Or for a quick and free guide, you can download the secure programming faq from one of the oldest websites on the internet-
Securing Programming FAQ [mit.edu]
--

Re:Secure programming FAQ

This is not a very good (modern) guide. There are plenty of better guides (still free) to which we link on the web site, such as David Wheeler's HOWTO [dwheeler.com]. The book is more about giving actual code examples on how to do things properly. And, oddly enough, all the code is also available for free on the web site.

I blame colleges

These degrees are handed out like toilet paper these days.

Let's teach future American programmers proper security before they graduate and start writing professional software.

There's no excuse for the fact that in order to write good, clean, secure code, our youngsters have to visit websites like secureprogramming.com in order to just get by.

What a disgrace.

Re:I blame colleges

Blaming colleges is a complete copout - if colleges aren't teaching the proper skills, then employers should be rejecting applicants with inadequate skills.

The fact is, most companies couldn't give half a shit about security on a day-to-day basis, and therefore don't really care if people fresh out of college have a clue about secure programming, or even security in general.

The goal of college, in the context of our current society, is to prepare students to get a job - if employers aren't demanding it, then people aren't going to expect it to be part of a college curriculum.

Don't get me wrong, I fully agree it should be a core part of computer education right from the start, but until the technology industry recognizes it as a day-to-day need (other than the 2 weeks after you've been hacked), it won't be considered an important part of the educational process.

Re:I blame colleges

How about a graduate who can tell me the difference between a development environment and a production environment?

Also:

- the importance of taking the time to do something right the first time as much as possible, instead of always the tiresome updates and tweaks.

- what version control software is and how it is essential to team development (hell, you'd be surprised how many senior programmers don't know about it or use it).

- how to take ownership of a task and see it through, not blaming someone else.

- how to keep busy when the current task is blocked. Find another task, stay busy.

- how to use your own head, and not ask questions about every single thing. If I have to give guidance on what colour your label should be, I might as well do the task myself.

- common design patterns and practical applications of them.

- performance optimization techniques, and why developing everything on a quad Xeon with gigabit ethernet is not always a good idea.

- how calling in sick every week is not acceptable in the real world (not at most places, anyway).

- how good organization techniques can save you a lot of time and keep you on target.

- error handling code should be hilighted more. Books always seem to omit error handling, and that's what students learn from. That leads to really buggy code.

the first rule of secure programming club is

use a language that was specifically designed with security in mind
like say, Ada

oh yeah, let the negative moderation begin
because programmer can't stand being held by the hand
too big ego

Schneier's book considered harmful, or passe

Viega's site disses Schneier's book, which everyone else seems to regard as gospel. What's up with that? I like a juicy feud as much as the next guy.

Enhance Linux Operating System with BOSS

IEEE Standards Associate, IEEE Information Assurance, IEEE Computer Society and IEEE Baseline Operating System Specification Working Group (BOSSWG [bosswg.org]) has initiated a call for definitions of a new operating systems intended to securely control nearly all aspect of the operating system (including root).

Kinda sounds like Common Criteria, doesn't it; hopefully better.

Chapter 1

The Secure Programming Cookbook for C and C++, Chapter 1: Find an Alternative to C and C++.

Seriously!

Re:Chapter 1

If only it were that easy! Most of the stuff in the book applies to any language under the sun, but the examples are in C. If the book were just about protecting against buffer overflows, then it would have been 50 pages instead of 800. There's a ton of hands-on material on how to use cryptography correctly in an application. It's still amazing to me that about 90% of the time I see SSL/TLS integrated into an application, it's used in ways that are grossly insecure (e.g., a man-in-the-middle attack is easy). Also, we cover things like how to prevent common input validation problems that happen in any language (e.g., SQL injection).

Do *what* to get your way to the top?

"Now I'm just a lowly IT worker, managing web servers and crawling under desks"

Crawling under desks? I know admin'ing IIS servers is bad enough because of the security problems, but to have to blow your boss to keep your job?

Talk about getting fucked in both ends!

The site is pink.

However, since I already own at least one of your books I'll check it out.

At last!

Finally! A programming website that's SECURE! I am so tired of my favorite programming websites getting hacked all the time.

oh wait...

By the way, I can't believe nobody made that joke yet.

Interepreted languages help, but aren't a cure-all

Buffer overflows are arguably the most common vulnerabilities that occur in the wild, which in turn indicates that most of the network services attacked are being written in C.

Moving to interepreted languages mean that any dodgy user-supplied input will be detected at runtime, and will most likely result in some sort of a traceback (but no exploitable overflow).

This however does not eliminate the remaining classes of vulnerabilities, relating to default configurations (username/passwords), poor encryption mechanisms, Denial of Service attacks (minimised due to most popular interpreted languages having their own garbage collection), and more.

We need more developers to be putting on their black-hats, and looking at their code and wondering "what if I tried this? Could I break this code?".

2 tips from the hood

1. Create your own malloc/free new/delete heap. This heap should always have blocks of 0's interspersed throughout and a 1K walled block of 0's at the end of the heap. Any programming errors may result in garbage, but it won't result in injected code vulnerabilities.

2. No direct DB access technology on your web service front ends. If your web UI code has SQL in it, you're doing something wrong. Your Web GUI should access an intermediate layer, instead. UI is notoriously easy to compromise, and the best way to make SQL injection attacks is to not have SQL directly beneath the button your users are playing with.

Re:2 tips from the hood

While I agree with point 2, I can only say that point 1 is at best misguided nonsense and at worst a troll. If an attacker is able to overrun a buffer by a few bytes, then they are likely able to over-run by more than the 1K for which you've allowed. This technique is likely to give a false sense of confidence in an implementation as well as cause bloat - hence negating at least some of the advantages of the costly decision to implement at a low level permitting pointer arithmetic. There are much better ways to tackle such problems. In many cases C/C++ programmers should take a leaf from Java programmers and avoid pointer arithmetic in mainline code. It is trivial to code an ADT for arrays/strings in C, and C++ programmers should really consider STL containers. Only extremely low level code ever need directly manipulate pointers - and the cost of interacting at this level should be a moral obligation to show, using appropriate techniques such as pre-condition/post-condition inductive proofs, that buffer overruns are not possible.

Variable input == DOS attack hole

The problem is not the language, it's our style of programming.

The whole reason that security issues have proliferated is our stubborn insistence on allowing for variable input. If all input and systems had hard wired capacities, then, there could be no denial of service attacks as program behavior would be bounded.

Even C# and Java have DOS issues becuase of their unbounded nature. A program that reads an input stream and stuffs a link lists will be just as supsectible to denial of service attacks as any others.

Some of us remember gravitating over to C from the old Pascal and FORTRAN and BASIC because of C's penchant for creating dynamic data structures. AS I look back on that era, I wonder if we didn't make something of a mistake.

I wonder if we might borrow some of the practices from that ancient era, and use dynamic allocation as the exception, rather than rule. Programs should have fixed numbers of objects. Programs should have fixed input sizes and maximum capacities. String fields should always have a maximum, fixed, size.

I should note that if we do have less variable length allocations, then, we less likely need programming languages that make variable length easy. A more conservative, almost retro programming technique could make for faster, more secure programming.

Strict mode for C++

I once wrote Strict mode for C++ [animats.com], to address this issue. After much struggling, I concluded that backwards compatibility was tough enough that it wouldn't be accepted. With the recent hightened interest in security, it may be time to look at this again. (I'd make some changes to the syntax proposed there, though.)

The basic idea is that everything is reference counted and subscript checked, but by doing some static analysis and type enforcement, most of the overhead for that is eliminated at compile time.

About 95% of subscript checks can be optimized out without too much effort. An optimizing compiler that can hoist expressions out of loops and strength-reduce them can move most subscript checks out of inner loops. Reference counts require more language support, but they, too, can be optimized.

As for pointer arithmetic, the solution is to use iterators, which are checkable, instead of pointers, which are not. Then optimize out the checks, as with subscript checks.

I proposed that there be a way to designate C++ code as "strict", turning on the enforcement. Privileged programs should be 100% strict; others need not be.

This is unlikely to happen, but it is technically possible.

My definition of "Secure Programming"...

... is any programming job that can't be exported to India!

Vision of security isnt as bad as ./ make it

Been in the security game for 10 years...

From all these posts, it seems that all programmers don't have a clue about programming in a secure manner. I disagree, its just that times have changed.

Surely, a few years ago this was the case. But certainly not as bad as now. Most PHB worth their weight usually know the security buzz words associated with an implementation are. If they don't give support to the developers to create a secure solution, they arent just lacking in security skills - they are lacking in overall management skills and an understanding of IT. Security has to be part of the overall process when in development, PHB's must invest *training* for programmers and develop standards to follow.

Previous posters saying that it should be manditory for all post grads to have indepth security skills is down right short sighted. Security is a bottomless pit with many variables, a general subject can be taught. However, security can't stem strictly by programming practices. It is a collection of standards from all types, from the network, operating system to the application level. Not to mention the usual deal of people, process and technology.

I've lost count of how many pen tests I've completed where the application design was rock solid, however they had a bad password on their admin portal.

Nuff said....

/. effect1

no matter how good their secure coding is, they're no match for the ultimate overflow: the slashdot effect!

Small error in the site

I think I have spotted a small error in your otherwise excellent site.
I checked out the HTML source and the problem seems to be in the spc.css file.
There are several references to the value #BD3D89 and on the monitors I have here that value appears as a bright pink colour.

Just thought I'd let you know.

Here's the full text

Just in case the site gets slashdotted, here's a cut-n-paste of the home page. Whew, glad I was able to get in to get this:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, mmessier@secureprogramming.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Apache/1.3.28 Server at www.secureprogramming.com Port 80

The word "Security" is too big

"Security" is too big of a word. There is a difference between

1. a program enforcing a division of data,
2. ensuring a program doesn't let any bits slip through the cracks, and
3. creating a system where people can do only the things they are allowed to do.

"Security" to me is (3). Security is a social construct. You can't have security until there is someone who's not allowed access to something.

I see a lot of talk about cryptography, preventing buffer overflows, and so forth. But the combining of these technologies in the design of a real-world security application is seldom discussed. It's a hard messy problem.

I suspect if we had a better understanding of the social aspects of security, more secure technology would follow.

Feedback

This site needs some way of posting comments or feedback. For example, I have issues with at least two of the recipes listed so far. Secure programming sites and recipes are no use if they aren't subject to peer review.

wrong assumptions abound

Guys check the 9/15 th post

Not only does the author disspove his own conclusion..in fact switching to java does accidently make a program more secure ..why do you think MS switched to state machienes in MS .NET..its ecure, duh!

But other wrong assumptions abound..

Be very carefull of reading the book the author has written if its ful of the same assumptions..you might get burned..

Wow...

Looks like I found the first site to visit in the morning in order to wake me up...jesus...is it safe to open my eyes yet?

Articles like this don't make me want to use C/C++

When I read articles in which they explain hundreds of coding techniques to make code secure, I really don't want to get involved with such languages. I am not a very good coder and for this reason, my favorite languages are Lisp, Python and O'Caml, all three languages have garbage collectors which frees me from a lot of work that has nothing to do with the task at hand. I know that I can't (and don't want to) deal with memory problems, so I use modern languages which think the programmer's time is more important than the computer's. Seriously, let's say I write an application to manage a little local computer store, why should I use C and potentially ship a lot of memory-related bugs with my app when I can use something like Lisp or Python or O'Caml which all are stable, complete and powerful languages in which that task would be easy and would result in a better application?

Security should be part of the design

Last few places I worked at didn't care about security. They thought it only slowed down production and they wanted us to write code as fast as possible. I wasn't fast enough, so I got let go.

I tried to get into that website on security programming, and it said my user name already existed. How many Orion_Blastar accounts are there in the world, or is it a spoofer? So then I thought maybe I joined before and forgot about it, so I went to "Forgot Password" and got an error screen when I submitted it. Secure but buggy.

Microsoft book

How does this book compare to the Microsoft book [amazon.com] on writing secure code? MS jokes aside, this would be helpful in deciding which to puchase.

typing "security" in MicroSoft Word

returns
"Dictionary_exception_error: word not found" :-)

Microsoft'

A great article on threat modeling by Microsoft's software security guru.

SafeStr library

Funny, I had pretty much the same idea... I use my own C library (which is called "secureStrings") for my programs for some time now (about one year), because it has always been my opinion, that things like strcpy() and strcat should become forbidden ;-). SecureStrings works on Unix, VMS and OS/400; i didn't try, but it probably also works on NT...

C or C++ is probably great, for writing very special code, such as kernel modules to support new hardware, or scientific software and such.
However, I think there should be a more secure programming language than C for commercial and for networking software.

Implementing things like a webserver, a data warehouse, accounting software, etc. in C/C++ can be extremly dangerous, and experience shows, that most programmers just can't do it the right way with C/C++.

On Mainframes and AS/400s most commercial applications are written in COBOL, and this is probably one of many reasons, why these systems usually don't get hacked.

However, COBOL is somehow unhandy (unconventional syntax)

On Unix you can hardly get something else than a C/C++- or a Java-compiler; there should be an Ada- or a Pascal-Compiler available for every Unix derivate.

SafeStr is a totally broken API.

SafeStr is one of the technologies these guys have pointed out on their front page. Its just a string library with a number of interesting safety features. However, the fundamental architecture is completely broken:

1. Since the library automatically resizes its strings including the base pointer, that means if you have multiple refs of a string, then manipulations of one of them may leave others in an undefined state. For example:

safestr_t t;
/* ... */
s.name = t;
safestr_append (t, SAFESTR_TEMP ("tail."));
/* Now, while t is well defined, s.name
may or may not be well defined. */

2. The use of SAFESTR_TEMP() (a string that automatically disappears after being passed to any safestr function) is clever but necessarily prevents any of the SafeStr functions from accepting const parameters. This has an additional problem that if you write a function which accepts a safestr_t, then if you pass it to
one safestr function its reference might become undefined (you can't know.) For example:

int c3 (safestr_t s, safestr_t t, safestr_t u) {
safestr_append (s, t); /* s might now be undefined */
safestr_append (s, u);
return strlen (s);
}

********

If you want to use an actually usefully architected string library try mine here:

http://bstring.sf.net/

In a direct comparison with safeStr, it should be pointed out that bstrlib doesn't have any concept of a "tainted" string. However, it does support read-only strings. bstrlib does not have any of the basic architectural weaknesses described above. It also has numerous other important features which are summarized here:

http://bstring.sf.net/features.html

Re:Speed issues aside

Lesson #1: All Java programs are automatically secure.

See, that's why I keep coming to Slashdot. You learn something new every day. :)

Re:Speed issues aside

No buffer overflows

Without throwing an exception and crashing the program.

No dereferencing of null pointers

Without crashing the program (java.lang.NullPointerException).

No object creation failures (all "new"s succeed)

Without crashing the program -- usually as spectacuarly as a C program since an out-of-memory condition will make Bad Things happen with the VM or JIT as well.

Sounds like a great candidate for writing an OS kernel in. Microsoft are you listening?

Re:Speed issues aside

Lesson #2: No matter how obvious it is that you're trying to be funny, someone will mistake your comment for totally serious and sincere (or, in this case, totally sincere in sarcasm). Which leads to...

Lesson #3: Don't try and be funny. You'll just end up having to explain it, and--as the Heisenberg Principle attests--an explained joke ceases to be funny.

Seeing how the parent didn't specify which security issues were fixed by switching from C/C++ to Java, and the website is devoted to "secure programming" without regard for language, the parent gives the impression that switching to Java automatically renders an application completely secure.

Despite Java's safer memory usage, an application is still open to a wide variety of attacks. Such grandiose security claims about managed languages are worthless (except for the schmucks trying to get a contract to rewrite a critical application in Java or C#).

See? See how not-funny you made me?

Re:Speed issues aside

Might Java or C# have their own security issues, where if the right set of things occur bad things could happen?

I'd rather use a language which doesn't give a false sense of security, a language which everyone obviously (well, we hope they do, but, true, not always the case) knows you have to do checks and specify how much space you really have (and so forth).

The really is no excuse to use a language like Java or C# to do your checking when you can do it yourself. Except of course, laziness >:P

Re:Speed issues aside

The really is no excuse to use a language like Java or C# to do your checking when you can do it yourself.

That is the most ridiculous argument ever. It is tantamount to embracing only the most basic building blocks of anything and claiming that any automation or pre-made combination of those blocks as wrong.

No, it is you who is wrong. Why do you use a computer instead of an abacus? Why do you use paper when you could carve notes into stone? Things progress, things get better, and things that once were boilerplate (like manual safety checking) are taken care of so you don't have to do any of the boilerplate stuff anymore.

Embrace the better technology. Don't cling to the past or you will be left behind.

Re:Speed issues aside

did anyone actualy ever use algol? when you look at it, Algol was just a development lab for features of modern programming.

Not just speed

It's more than just speed issues. Interpreted languages have better runtime checking and thus can avoid things like buffer overruns, yes. That's great for a lot of things, don't get me wrong. For backend programs, Java is an absolutely brilliant language, as it encourages some much better object-oriented design philosophies. Even Objective C handles some runtime checking far better than C or C++, though as it is a set of extensions to C it suffers from the same weaknesses in C code.

But what is the JVM written in? I guarantee you it isn't Java. :) Last I checked, the original Java Virtual Machine was written in C...after all, you can't run Java bytecode without something to interpret it. Similarly, I bet you most Just-in-Time Java compiler/interpreters are also written in C or C++. Even the programs which take Java code and turn it into a binary executable likely are linking it against a library which was written in C or C++.

Similarly, at my old job, I had to write low-level drivers for PCI hardware we were developing. Did I get to write these drivers in Java or C#? Of course not... you can't write low-level hardware calls such as Windows VXD files in an interpreted language; it'd really kill the performance of a system.

Just for a moment try to imagine someone writing, say, a new video driver for the Linux kernel in Python, or rewriting XFree86 in Java.

Ow. :)

Moreover, while Java makes it a great deal harder to, say, create a remote root exploit through a buffer overrun, it does not automatically fix problems of, say, cryptographic strength. Creating an encryption algorithm for some vital data which can be easily broken is as much a security hole and a flaw as a buffer overrun.

So while you're correct in some places -- Java and Python and C# and other interpreted languages that can do more stringent runtime checking of things really /do/ solve some problems which traditional lower-level languages are more vulnerable too -- modern interpreted are not a panacea for all programming ills. They aren't suitable for all types of programming, and even for the ones they are well-suited for, they don't automatically solve all security issues.

In general, the lower-level the language, the more easily you can mess it up; ASM is even easier to fry things in than C or C++. It becomes a tradeoff, with the lower-level languages giving you progressively greater efficiency and the ability to access things 'down on the metal', with higher level languages -- while slower and more abstracted -- able to shield you from more mistakes, and more portable between situations.

Each has their place. I wouldn't want to write a web-client that ran database queries in ASM, but Java works great. Conversely, I wouldn't want to write a driver for an AGP graphics card in Python, but ASM or C works pretty well right there. ;)

Re:Speed issues aside

This isn't true whatsoever. Only the most glaring issues are fixed. Currently, we're working on a Java Secure Programming Cookbook, and we'll get around to C# after that.

We do a lot of code auditing, and find about 4-5 serious security problems per thousand lines of code of C and C++ code. In languages like Java, we still usually find 1 or 2 such problems.

Re: Not just speed

okay, okay just ready what i'd put and before anyone else corrects me *I made a grammar mistake on the first sentence of the second paragraph*

Re:Speed issues aside

the programmer in question is too lazy to learn newer and better ways to program.

Lazy?

It's far easier to program in Java, but you never know what's happening in the interpreter.

At least with C/C++ you are talking directly to the machine, and it's your fault if it screws up.

What if you're really lazy, and rely on a JVM that you have no control over to provide your safety blanket?

Noone uses assembley any more (except for kudos purposes), but the closer you are to the hardware, the more care you have to take to make things right - interpreted languages make people lazy, and that must be a bad thing.

Re:Speed issues aside

> These security problems are fixed by switching to a modern language

Agreed...

> like Java or C#

These are *not* really modern languages... they are too much of procedural kludges to do OO, their runtimes are too big and they are too complex. They end up creating many problems.

If you want good languages, not just popular ones, go functional (Lisp, ML or their dialects) or pure OO like Smalltalk.

COBOL BABY!!!!

I wanna be just like dust puppy and code Erwin in COBOL!! [userfriendly.org]

--

Re:Lesson #1: Don't use C or C++ for Secure Progra

To start, the parent comment should be modded back up. The parent poster isn't a troll; (s)he just has strong opinions.

Onto the post ...

• 
  

  Geez, how hard can this be? C and C++ are the only two major languages
  on the market nowadays which allow array overflows, pointer dereferencing
  into code, free creation of unsafe code, and other fun stupidities. As such,
  they are easily the WORST LANGUAGES on the market for secure
  programming.

  
  

This is a common programming fallacy. It's not the programming language that makes it easier to create a secure program; it's the programmer with a thorough understanding of security that makes the (infinitely approaching) secure program.

• 
  

  Sure, people will say oh, yeah, but you can be insecure in any
  language. These people should have their CS degrees revoked.

  
  

They're right (and if you had your way, I'd have my piddly degree revoked in a few seconds :P)!

There are dozens of popular programs written in C/C++ in which security holes haven't been found, programs that are written carefully and thoroughly debugged by programmers that understand security. Programming languages like Python, Ruby, LISP, [... ad nauseum] make it easier to avoid common pitfalls (i.e. buffer overflows), but there are plenty of security holes that can be introduced into programs written in those languages.

Don't get me wrong. I'm a Python zealot, I like Ruby, and I think Modula-3 has (had?) the potential to be one of the best systems programming languages available (if not for the lack of tools associated with Modula-3). However, that doesn't change the fact that there are great C/C++ programmers out there that will write less buggy code in their lifetimes than many Python/Java/Ruby/[insert your favorite language of convenience] programmers that don't know the first thing about computer security.

I could apply your logic to language interpreters/compilers for some of the languages you mentioned (i.e. Java, Python, Ruby, etc.). Is the Python interpreter less secure than a Python program because the interpreter was written in C? If the interpreter is insecure, then what does that say about Python programs when they're being interpreted by the interpreter? A program is secure if it's behavior is predictable, given a certain set of actions.