Secure Programming

viega writes "Matt Messier and I have just launched a secure programming web site. While this site does support our new book The Secure Programming Cookbook for C and C++ , it also serves as a thorough resource for developers. It has numerous links to articles and other topical resources, new recipes that demonstrate secure programming techniques a large glossary and the obligatory web log. We accept outside submissions, and will reward the best recipe submission each month-- O'Reilly will publish it on the O'Reilly Network web site and will give the author a free book. There's already a decent amount of new content, including recipes on avoiding malloc()/new-related integer overflows, watching out for security problems in API differences and issues when truncating data. There's also an RSS feed for the web log."

Run-on sentence time

[mao che minh]

Ten bucks says that this endeavor will go widely unnoticed by 90% of developers. Now I'm just a lowly IT worker, managing web servers and crawling under desks, but I do know that 95% of the developers in corporate America do not read Slashdot, and 95% of the ones that do are so intimately involved with Microsoft or Microsoft dependant technologies that this book/article/section/endeavor won't mean a damn. And before the trolls bark: YES, Microsoft = less security in development. Not by design - hardly - but rather because if a developer is working on a project that is Microsoft centric from the ground up, he/she is likely working on a time table set by some PHB a hundred miles away, and has been working on such projects for years, and has long since given up on making good, secure code, and rather coding whatever keeps his/her salary.

Once you have worked 50 hours a week in a corporate setting for 5 years as a developer (2 years) and a run-of-the-mill network/system/any-god-damn-thing-they-can-get-you -to administer(4 years, you will understand.

Re:Run-on sentence time

[Dark Coder]

Pay up.

With not quite a million slashdot anonymous cowards, that Bureau of Labor Statistic [bls.gov] makes for more than all the software developers, I&T guys, database report wizards and embedded software engineers by twice here in U.S of A (not to mention outside world).

Yes, you may be a lowly I&T worker; but you probably should not be worthy of posting ludicrous assumptions at Slashdot.

And Ah, 95% of slashdot readers are Microsoft involved? Mmmmm. I put money down that this is closer to 85% or less th

Re:Run-on sentence time

[tuomoks]

Unfortynately - you are correct, period ! Just dont blame MS too much - they are bad but... As an example we do develope for public safety and have absolytely no guidlines or methods for safe software. Our management thinks that application level encryption is enough and safe - go figure. Makes me wonder - after 30 years in network security.. have a nice day.

Re:Run-on sentence time

[JaredOfEuropa]

Ten bucks says that this endeavor will go widely unnoticed by 90% of developers.

Sadly, you may be right.

95% of the ones that do are so intimately involved with Microsoft or Microsoft dependant technologies that this book/article/section/endeavor won't mean a damn.

What?! It is precisely because of the flaws of most modern operating systems that do not protect you from sloppy programming, that programmers need to be aware of secure programming methods. It's not just Windows either; Unix/Linux does not protect a programmer from, say, buffer overruns either. All programmers need to be aware of such flaws, and work around them.

Programming securely does not have to cost you a lot of time either. Take the SafeStr library mentioned on the website for instance... a string library that can be used as replacement for the standard C string functions, a notorious source of buffer overruns and bugs. Using this library instead of the standard functions will cost little or no extra time.

Programming securely is just like other good programming practices. Generally they do not cost extra time, they save time. It does take time to learn these practices, and that's where the responsibility of each programmer comes in. Take the time to learn good programming practices and get used to them, stay abreast of new developments, and above all train and encourage your junior team members to use these methods as well.

The team that fails to adhere to good programming practices will turn out unstable and insecure software. Where do you think the bugs in Microsoft products come from? Tight timelines? Perhaps... but a great many of the bugs I come across are generally the result of a sloppy programmer, tight deadlines or no.

Good idea

[ljavelin]

It's a good idea to have resources that are committed to security. Although some will claim that languages such as Java or C# prevent security issues, this is simply not true - there are many avenues to building security weaknesses... and those that think they're safe merely by using a particular programming language are in for a nasty surprise.

Of course, a web site and a few books won't prevent security issues - but the more it gets the word out about good programming practices, the better!

---
Herb Chambers - where my nightmare came true!

Re:Good idea

[Monkey Badass]

Of course, a web site and a few books won't prevent security issues - but the more it gets the word out about good programming practices, the better!

I agree. Cookie-cutter methods don't teach good secure coding practices. What we really need are more books that discuss how to address security throughout the life of software, beginning at its design. It's kind of sad that even after years of acknowledging this need, there are still only a handful of such books available. This kind of knowledge also would

Re:Good idea

[viega]

There are several books out there that try to teach secure programming by relating it to good software engineering principles. The problem is, you can say things like "use encryption" all you want, but if you don't get far more concrete than that, people are going to get it wrong over and over again.

If you look at the book, while there are indeed plenty of pieces of code people can just use, we thoroughly discuss design and implementation issues for each of the examples we give. That is, we're covering

Yet languages make a big difference

[Tom7]

> and those that think they're safe merely by using a particular programming language are in for a nasty surprise.

That's true, of course, but nonetheless languages make a huge difference.

In applications, buffer overflows, along with (recently) integer overflows, double-free bugs, and printf formatting bugs, are the most common source of exploitable holes by far. (Case in point: the MySQL buffer overflow currently on slashdot's main page, the several recent RPC vulnerabilities in XP, the recent OpenBSD

Re:Good idea

[Frymaster]

// Try hacking THIS, suckas!

ah, you think it's funny - but it's true! the more a program does, the greater its potential for security flaws. thus, frymaster's first rule of secure programming: "your program shall do no more than what is absolutely required by the spec-n-rec[1]".

1. you got a spec-n-rec from the client? lucky you!

Warding off the inevitable "switch to Java" commen

[sco08y]

If you RTFA, or even just GATFA (glance at) you'll notice that the book has info on:

Random numbers

Input validation

Cryptography (e.g. ssh)

Buffer overruns are just one kind of problem you need to deal with when writing secure code. There are also DOS attacks and information theft. Even with Java, it can be quite challenging to ensure that data is properly encrypted and authenticated, and you still need to worry about permissions in the file system.

And let's not even dredge up the standard "why can't you just rewrite 100s of 1000s of lines of working C++ code in Java?" inanity.

Re:Warding off the inevitable "switch to Java" com

[dmiller]

Tune in to Bugtraq some time to see a never-ending stream of web-app vulnerabilities. Most of these applications are not written in C.

Moral of the story: stupid programmers will be stupid in whatever language you give them.

actual snippet

[gfody]

while(true)
{
try
{
...
}
catch()
{
//try again
}
}

Re:actual snippet

[dmiller]

In that spirit, my favourite was:

while ((var = malloc(sizeof(*var))) == NULL)
; /* Avoid allocation failures */

Re:Warding off the inevitable "switch to Java" com

[Admiral Burrito]

Buffer overruns are just one kind of problem you need to deal with when writing secure code.

Buffer overruns are one of the problems you don't need to deal with when writing secure code because modern languages (not C/C++) can detect that condition for you, leaving you to concentrate on the real bugs.

So much for "warding off". :p

Re:Warding off the inevitable "switch to Java" com

[dmelomed]

Half-truths. Both C and C++ can support strings without buffer overflows through nice string libraries. It's just people don't use them as often as they should. Standard C library is a piece of crap as far as strings and type safety are concerned, not the whole language.

I'd love to read the site, but ...

[russh347]

I won't given the color scheme.

Secure programming FAQ

[SystematicPsycho]

Or for a quick and free guide, you can download the secure programming faq from one of the oldest websites on the internet-
Securing Programming FAQ [mit.edu]
--

Re:Secure programming FAQ

[viega]

This is not a very good (modern) guide. There are plenty of better guides (still free) to which we link on the web site, such as David Wheeler's HOWTO [dwheeler.com]. The book is more about giving actual code examples on how to do things properly. And, oddly enough, all the code is also available for free on the web site.

I blame colleges

[Amsterdam Vallon]

These degrees are handed out like toilet paper these days.

Let's teach future American programmers proper security before they graduate and start writing professional software.

There's no excuse for the fact that in order to write good, clean, secure code, our youngsters have to visit websites like secureprogramming.com in order to just get by.

What a disgrace.

Re:I blame colleges

[metallicagoaltender]

Blaming colleges is a complete copout - if colleges aren't teaching the proper skills, then employers should be rejecting applicants with inadequate skills.

The fact is, most companies couldn't give half a shit about security on a day-to-day basis, and therefore don't really care if people fresh out of college have a clue about secure programming, or even security in general.

The goal of college, in the context of our current society, is to prepare students to get a job - if employers aren't demanding it, then people aren't going to expect it to be part of a college curriculum.

Don't get me wrong, I fully agree it should be a core part of computer education right from the start, but until the technology industry recognizes it as a day-to-day need (other than the 2 weeks after you've been hacked), it won't be considered an important part of the educational process.

I blame porridge

[segment]

Blaming colleges is a complete copout - if colleges aren't teaching the proper skills, then employers should be rejecting applicants with inadequate skills.

Agreed. Most of the companies I've been at of course hire college grads I mean who wouldn't, but most of the time it's those of us without degrees who've actually DTFW (done the fscking work) who end up making the big bucks even if it's only temporarily. This is not to say that a college grad isn't skilled hell most would probably clean the floor with

Re:I blame colleges

[Ichijo]

The goal of college, in the context of our current society, is to prepare students to get a job - if employers aren't demanding it, then people aren't going to expect it to be part of a college curriculum.

I see this as a chicken-and-egg problem. Employers don't understand the importance of secure programming because it isn't taught in college. The only other way to learn is by experience, but that's the hard way.

There's really no excuse for teaching poor programming skills (or not teaching good progra

Re:I blame colleges

[Billly Gates]

Does the industry want CS graduates who can only write hello world programs to be programmers?

Maybe that may be a slight exaguaration. But they learn mathmatics and physics, english, history or other humanities, and maybe 2 or 3 courses with real programming while the rest is theory and calculus.

The industry response was well lets look at India. These students there only focus on programming and not going to school and work for a 1/4th of the price!

Re:I blame colleges

[siddhartha03]

Why is the goal of college to prepare students for job? That sounds more like a trade school. College should be for the pursuit of academics.

Re:I blame colleges

[m00nun1t]

As someone who occassionally hires college graduates, they have a LOT more to fix before teaching people secure programming (although that would be great!). How about a graduate who can tell me the difference between a development environment and a production environment? Or is even aware of the concept of a production environment? What they teach in University seems to have such limited applicability in the real world as to be almost useless. I hate hiring graduates, complete pain in the rear for the first

Re:I blame colleges

[whereiswaldo]

How about a graduate who can tell me the difference between a development environment and a production environment?

Also:

- the importance of taking the time to do something right the first time as much as possible, instead of always the tiresome updates and tweaks.

- what version control software is and how it is essential to team development (hell, you'd be surprised how many senior programmers don't know about it or use it).

- how to take ownership of a task and see it through, not blaming someone else.

- how to keep busy when the current task is blocked. Find another task, stay busy.

- how to use your own head, and not ask questions about every single thing. If I have to give guidance on what colour your label should be, I might as well do the task myself.

- common design patterns and practical applications of them.

- performance optimization techniques, and why developing everything on a quad Xeon with gigabit ethernet is not always a good idea.

- how calling in sick every week is not acceptable in the real world (not at most places, anyway).

- how good organization techniques can save you a lot of time and keep you on target.

- error handling code should be hilighted more. Books always seem to omit error handling, and that's what students learn from. That leads to really buggy code.

Re:I blame colleges

[mse61]

Speaking as a current CS student at a "major" university in the Midwest, I can honestly say that there is a HUGE lack of good programming practices taught. From the beginning you are taught to write code that is potentially buggy at best. I believe that it stems from the fact that a majority of people who are entering CS programs had little interaction with coding before their studies begin. It takes nearly 3 semesters of studies before the student is capable of writing correct, basic C++ code. By that

Re:I blame colleges

[sigwinch]

These degrees are handed out like toilet paper these days.

Dude, that wasn't a university you spent four years in, it was a men's room. Oh, and that "Dean's Honor Roll" wasn't an award.

Re:I blame colleges

[WhaDaYaKnow]

Let's teach future American programmers proper security before they graduate and start writing professional software.

Hmmm. You mean that:
Problem
Integer overflows can lead to allocating too little memory, which can often result in an exploitable buffer overflow.

Solution
Before each memory allocation, be sure to check the size you're allocating, to make sure it really is big enough to do what you need.

Should make you respond with 'Well, DUH!', before you get on the job?

I've no idea what 'to be' prog

Re:I blame colleges

[viega]

The solution may be obvious once you understand the problem, but the problem itself is incredibly non-obvious to most people who just go about allocating memory happily without ever thinking too deeply about the implications. Most developers are far more worried about getting the feature of the day working to "waste" a lot of cognitive effort on such things.

the first rule of secure programming club is

[Anonymous Coward]

use a language that was specifically designed with security in mind
like say, Ada

oh yeah, let the negative moderation begin
because programmer can't stand being held by the hand
too big ego

Re:the first rule of secure programming club is

[Malcontent]

really why not?

Why is C or C++ some sort of a sacred cow. MS is throwing C away and going with C# why isn't the rest of the world throwing C away and going with Java or Python, or Eiffel or Lisp or whatever.

Write in python and then rewrite the critical sections in C if you must. You'll still be more productive in the long run.

Re:the first rule of secure programming club is

[WasterDave]

Microsoft are not throwing C away. Get a grip. They are, however, marginalising it ... which is fine. Thrown away is VB. And that pseudo-Java abomination. Good riddance to them both.

Dave

It's About Time

[Lucas Membrane]

There have been architectures (eg Burroughs etc) that had most exploits designed out back when diskette rhymed with biscuit. Good languages (e.g. Ada and Modula) go way back.

Right now, the most interesting of these better languages looks to be Cyclone (from Cornell) which has some chance of success because it is based on C. Certainly(?), next genration versions of C and C++ ought to prevent such problems unless the programmer explicitly permits them.

And the second rule of secure programming club is

[devphil]

Quoting Bjarne Stroustrup when some moron tried to flame him for C++'s perceived lack of security, "I assume that a sufficiently skilled [cracker] will be able to do anything not explicitly forbidden by the hardware." (Emphasis mine.)

So, the second rule is, recognize that most "levels of protection" and "access controls" in programming languages are there to help realize a clean design and facilitate debugging. NOT to enforce some kind of real-world security.

The other rules

[devphil]

Just because I watched the movie the other night and can therefore quote entire reams from memory:

• The 3rd rule of secure programming club is: some process yells SIGABRT, goes Z-state, taps out, the program is over.
• 4th rule, only one major process to a sandbox.
• 5th rule, only two sandboxes to a machine, fellas.
• 6th rule, no telnetd, no ftpd.
• 7th rule: debug sessions go on for as long as they have to.
• And the 8th and final rule, if this is your first night at secure programming club, you will be 0wn3d.

Schneier's book considered harmful, or passe

[Anonymous Coward]

Viega's site disses Schneier's book, which everyone else seems to regard as gospel. What's up with that? I like a juicy feud as much as the next guy.

Re:Schneier's book considered harmful, or passe

[An Onerous Coward]

In "Secrets and Lies," Schneider admitted that back when he wrote AP, he had too high of hopes for secure systems, and that his enthusiasm rubbed off on too many. Now people seem to think that you can just sprinkle an application with "encryption," and make it ironclad.

Now his attitude is closer to "no system can ever be made secure, and that goes quadruple for systems which rely on the security practices of users." So Schneider himself isn't totally happy with AP.

Enhance Linux Operating System with BOSS

[Dark Coder]

IEEE Standards Associate, IEEE Information Assurance, IEEE Computer Society and IEEE Baseline Operating System Specification Working Group (BOSSWG [bosswg.org]) has initiated a call for definitions of a new operating systems intended to securely control nearly all aspect of the operating system (including root).

Kinda sounds like Common Criteria, doesn't it; hopefully better.

Chapter 1

[Troll_Kamikaze]

The Secure Programming Cookbook for C and C++, Chapter 1: Find an Alternative to C and C++.

Seriously!

Re:Chapter 1

[viega]

If only it were that easy! Most of the stuff in the book applies to any language under the sun, but the examples are in C. If the book were just about protecting against buffer overflows, then it would have been 50 pages instead of 800. There's a ton of hands-on material on how to use cryptography correctly in an application. It's still amazing to me that about 90% of the time I see SSL/TLS integrated into an application, it's used in ways that are grossly insecure (e.g., a man-in-the-middle attack is easy). Also, we cover things like how to prevent common input validation problems that happen in any language (e.g., SQL injection).

Do *what* to get your way to the top?

[Anonymous Coward]

"Now I'm just a lowly IT worker, managing web servers and crawling under desks"

Crawling under desks? I know admin'ing IIS servers is bad enough because of the security problems, but to have to blow your boss to keep your job?

Talk about getting fucked in both ends!

The site is pink.

[dtfinch]

However, since I already own at least one of your books I'll check it out.

Re:The site is pink.

[viega]

Even worse, my name is on a book that is pink. That's the reason for the current site color, BTW. Plus, I suppose we like torturing people at the same time we're trying to help them.

Interepreted languages help, but aren't a cure-all

[harikiri]

Buffer overflows are arguably the most common vulnerabilities that occur in the wild, which in turn indicates that most of the network services attacked are being written in C.

Moving to interepreted languages mean that any dodgy user-supplied input will be detected at runtime, and will most likely result in some sort of a traceback (but no exploitable overflow).

This however does not eliminate the remaining classes of vulnerabilities, relating to default configurations (username/passwords), poor encryption mechanisms, Denial of Service attacks (minimised due to most popular interpreted languages having their own garbage collection), and more.

We need more developers to be putting on their black-hats, and looking at their code and wondering "what if I tried this? Could I break this code?".

2 tips from the hood

[Anonymous Coward]

1. Create your own malloc/free new/delete heap. This heap should always have blocks of 0's interspersed throughout and a 1K walled block of 0's at the end of the heap. Any programming errors may result in garbage, but it won't result in injected code vulnerabilities.

2. No direct DB access technology on your web service front ends. If your web UI code has SQL in it, you're doing something wrong. Your Web GUI should access an intermediate layer, instead. UI is notoriously easy to compromise, and the best way to make SQL injection attacks is to not have SQL directly beneath the button your users are playing with.

Re:2 tips from the hood

[shic]

While I agree with point 2, I can only say that point 1 is at best misguided nonsense and at worst a troll. If an attacker is able to overrun a buffer by a few bytes, then they are likely able to over-run by more than the 1K for which you've allowed. This technique is likely to give a false sense of confidence in an implementation as well as cause bloat - hence negating at least some of the advantages of the costly decision to implement at a low level permitting pointer arithmetic. There are much better ways to tackle such problems. In many cases C/C++ programmers should take a leaf from Java programmers and avoid pointer arithmetic in mainline code. It is trivial to code an ADT for arrays/strings in C, and C++ programmers should really consider STL containers. Only extremely low level code ever need directly manipulate pointers - and the cost of interacting at this level should be a moral obligation to show, using appropriate techniques such as pre-condition/post-condition inductive proofs, that buffer overruns are not possible.

Re:2 tips from the hood

[plierhead]

Point 2 is bollocks as well.

No SQL in your UI code? Sure, good move. Instead, move all your SQL into a back end and then call into it from your UI code. This goes as follows:

1. You explain to your boss why all SQL should be done at the back end
2. Your boss asks you whether it is really worth it to write six time as much code as one would imagine would berequired, just for security
3. You say yes, trust me
4. Someone breaks in anyway, because your lame middleware layer allows intrusion through it, and the intruder

Re:2 tips from the hood

[shic]

I see where you are coming from, however I felt more forgiving about the second point - maybe because the recommendation was more vague. The original poster (grammar aside) suggested that SQL generation should be separated from UI interaction - and this is, IMHO, usually a very good idea. No-one suggested "all SQL should be done at the back end;" Only you seem to think that six times the volume of code would necessarily be required for such a separation; only you suggest that a boss would disagree - and I

Variable input == DOS attack hole

[tjstork]

The problem is not the language, it's our style of programming.

The whole reason that security issues have proliferated is our stubborn insistence on allowing for variable input. If all input and systems had hard wired capacities, then, there could be no denial of service attacks as program behavior would be bounded.

Even C# and Java have DOS issues becuase of their unbounded nature. A program that reads an input stream and stuffs a link lists will be just as supsectible to denial of service attacks as any others.

Some of us remember gravitating over to C from the old Pascal and FORTRAN and BASIC because of C's penchant for creating dynamic data structures. AS I look back on that era, I wonder if we didn't make something of a mistake.

I wonder if we might borrow some of the practices from that ancient era, and use dynamic allocation as the exception, rather than rule. Programs should have fixed numbers of objects. Programs should have fixed input sizes and maximum capacities. String fields should always have a maximum, fixed, size.

I should note that if we do have less variable length allocations, then, we less likely need programming languages that make variable length easy. A more conservative, almost retro programming technique could make for faster, more secure programming.

Re:Variable input == DOS attack hole

[Malcontent]

"I wonder if we might borrow some of the practices from that ancient era, and use dynamic allocation as the exception, rather than rule. Programs should have fixed numbers of objects. Programs should have fixed input sizes and maximum capacities. String fields should always have a maximum, fixed, size."

You know what really bug me? Almost all languages have assertions and yet almost nobody uses them. If you are dealing with dynamic elements you should have pre and post conditions as assertions.

Re:Variable input == DOS attack hole

[miu]

I should note that if we do have less variable length allocations, then, we less likely need programming languages that make variable length easy. A more conservative, almost retro programming technique could make for faster, more secure programming.

This is my prefered method of programming - the problem lies in convincing users to accept arbitrary restrictions.

The next best thing is to wrap all dynamic allocations in protected functions with paranoid checks built right in. Asserts are not enough, t

Strict mode for C++

[Animats]

I once wrote Strict mode for C++ [animats.com], to address this issue. After much struggling, I concluded that backwards compatibility was tough enough that it wouldn't be accepted. With the recent hightened interest in security, it may be time to look at this again. (I'd make some changes to the syntax proposed there, though.)

The basic idea is that everything is reference counted and subscript checked, but by doing some static analysis and type enforcement, most of the overhead for that is eliminated at compile time.

About 95% of subscript checks can be optimized out without too much effort. An optimizing compiler that can hoist expressions out of loops and strength-reduce them can move most subscript checks out of inner loops. Reference counts require more language support, but they, too, can be optimized.

As for pointer arithmetic, the solution is to use iterators, which are checkable, instead of pointers, which are not. Then optimize out the checks, as with subscript checks.

I proposed that there be a way to designate C++ code as "strict", turning on the enforcement. Privileged programs should be 100% strict; others need not be.

This is unlikely to happen, but it is technically possible.

My definition of "Secure Programming"...

[solarrhino]

... is any programming job that can't be exported to India!

Vision of security isnt as bad as ./ make it

[nighty5]

Been in the security game for 10 years...

From all these posts, it seems that all programmers don't have a clue about programming in a secure manner. I disagree, its just that times have changed.

Surely, a few years ago this was the case. But certainly not as bad as now. Most PHB worth their weight usually know the security buzz words associated with an implementation are. If they don't give support to the developers to create a secure solution, they arent just lacking in security skills - they are lacking in overall management skills and an understanding of IT. Security has to be part of the overall process when in development, PHB's must invest *training* for programmers and develop standards to follow.

Previous posters saying that it should be manditory for all post grads to have indepth security skills is down right short sighted. Security is a bottomless pit with many variables, a general subject can be taught. However, security can't stem strictly by programming practices. It is a collection of standards from all types, from the network, operating system to the application level. Not to mention the usual deal of people, process and technology.

I've lost count of how many pen tests I've completed where the application design was rock solid, however they had a bad password on their admin portal.

Nuff said....

Re:Vision of security isnt as bad as ./ make it

[viega]

IMHO, if your admin portal is susceptible to a practical password guessing attack, then there is generally far more that you could have done in your application design. One of the most obvious things to do is to reject any password that is easy to guess. But then there are plenty of good authentication schemes that don't use passwords at all, or use them only as one factor in a multi-factor system (such as a private key encrypted with a key derived from a password).

I'd definitely say that it's impractic

/. effect1

[pimpinmonk]

no matter how good their secure coding is, they're no match for the ultimate overflow: the slashdot effect!

Re:/. effect1

[viega]

Yes, but not in the way you'd think. It wasn't bandwidth. The blog is being stupid and creating too many connections to the MySQL database, which eventually stops accepting more. Kicking MySQL is a reasonable stopgap measure.

Small error in the site

[nmoog]

I think I have spotted a small error in your otherwise excellent site.
I checked out the HTML source and the problem seems to be in the spc.css file.
There are several references to the value #BD3D89 and on the monitors I have here that value appears as a bright pink colour.

Just thought I'd let you know.

Here's the full text

[Anonymous Cowdog]

Just in case the site gets slashdotted, here's a cut-n-paste of the home page. Whew, glad I was able to get in to get this:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, mmessier@secureprogramming.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Apache/1.3.28 Server at www.secureprogramming.com Port 80

Articles like this don't make me want to use C/C++

[GnuVince]

When I read articles in which they explain hundreds of coding techniques to make code secure, I really don't want to get involved with such languages. I am not a very good coder and for this reason, my favorite languages are Lisp, Python and O'Caml, all three languages have garbage collectors which frees me from a lot of work that has nothing to do with the task at hand. I know that I can't (and don't want to) deal with memory problems, so I use modern languages which think the programmer's time is more important than the computer's. Seriously, let's say I write an application to manage a little local computer store, why should I use C and potentially ship a lot of memory-related bugs with my app when I can use something like Lisp or Python or O'Caml which all are stable, complete and powerful languages in which that task would be easy and would result in a better application?

Re:Articles like this don't make me want to use C/

[plcurechax]

Seriously, let's say I write an application to manage a little local computer store, why should I use C and potentially ship a lot of memory-related bugs with my app when I can use something like Lisp or Python or O'Caml which all are stable, complete and powerful languages in which that task would be easy and would result in a better application?

So you don't want to have memory allocation and pointer issues. Fine. That does not make your programs secure which is the end goal of secure programming in ____

Re:Speed issues aside

[An Onerous Coward]

Lesson #1: All Java programs are automatically secure.

See, that's why I keep coming to Slashdot. You learn something new every day. :)

Re:Speed issues aside

[quantum bit]

No buffer overflows

Without throwing an exception and crashing the program.

No dereferencing of null pointers

Without crashing the program (java.lang.NullPointerException).

No object creation failures (all "new"s succeed)

Without crashing the program -- usually as spectacuarly as a C program since an out-of-memory condition will make Bad Things happen with the VM or JIT as well.

Sounds like a great candidate for writing an OS kernel in. Microsoft are you listening?

Re:Speed issues aside

[RetroGeek]

Without throwing an exception and crashing the program.

Which makes it unavailable for hacking. No program, no access.

Yes, a DoS will occur, but your site is safe.

Besides, a properly written Java app WILL have a try/catch block at some basic level to do a last ditch effort to intercept (and deal with) a normally fatal exception.

Re:Speed issues aside

[Moraelin]

Unfortunately, in a real world situation (as opposed to the dreams of someone walled in their own ivory tower), a program that crashes regularly is just short of useless. A program which malfunctions in the middle of writing data -- because half the logic got shortcircuited by a RuntimeException that cut straight through the last ditch "catch (Throwable all)" block -- is worse than useless.

For a geek, crashing early might be good coding practice. For a user, it's one e-commerce site they'll never visit aga

Re:Speed issues aside

[An Onerous Coward]

On the upside, it really is better to have your programs crashing in a predictable manner.

/me slaps himself for reading this comment and spending a full twenty seconds trying to figure out how the Java VM would run without the OS.

Re:Speed issues aside

[An Onerous Coward]

Lesson #2: No matter how obvious it is that you're trying to be funny, someone will mistake your comment for totally serious and sincere (or, in this case, totally sincere in sarcasm). Which leads to...

Lesson #3: Don't try and be funny. You'll just end up having to explain it, and--as the Heisenberg Principle attests--an explained joke ceases to be funny.

Seeing how the parent didn't specify which security issues were fixed by switching from C/C++ to Java, and the website is devoted to "secure programming" without regard for language, the parent gives the impression that switching to Java automatically renders an application completely secure.

Despite Java's safer memory usage, an application is still open to a wide variety of attacks. Such grandiose security claims about managed languages are worthless (except for the schmucks trying to get a contract to rewrite a critical application in Java or C#).

See? See how not-funny you made me?

Re:Speed issues aside

[endx7]

Might Java or C# have their own security issues, where if the right set of things occur bad things could happen?

I'd rather use a language which doesn't give a false sense of security, a language which everyone obviously (well, we hope they do, but, true, not always the case) knows you have to do checks and specify how much space you really have (and so forth).

The really is no excuse to use a language like Java or C# to do your checking when you can do it yourself. Except of course, laziness >:P

Re:Speed issues aside

[Anonymous Coward]

The really is no excuse to use a language like Java or C# to do your checking when you can do it yourself.

That is the most ridiculous argument ever. It is tantamount to embracing only the most basic building blocks of anything and claiming that any automation or pre-made combination of those blocks as wrong.

No, it is you who is wrong. Why do you use a computer instead of an abacus? Why do you use paper when you could carve notes into stone? Things progress, things get better, and things that once were boilerplate (like manual safety checking) are taken care of so you don't have to do any of the boilerplate stuff anymore.

Embrace the better technology. Don't cling to the past or you will be left behind.

Re:Speed issues aside

[endx7]

That is the most ridiculous argument ever. It is tantamount to embracing only the most basic building blocks of anything and claiming that any automation or pre-made combination of those blocks as wrong.

I was partially joking. But really, more complex blocks are more likely to be flawed, and this seems especially true when it comes to computers. And the worse part is, you'll never be able to throw away the basic building blocks anyway. After all, what do you think compilers will always end up generati

Re:Speed issues aside

[RetroGeek]

By hiding the details behind a curtain, I think it is more likely problems will just get ignored

So you, um, write software in machine code?

Higher level languages exist because it is tedious and error prone to need to code every last bit (pun intended) of instructon required by the CPU to do any work. The higher level the language, the more insulated you are from the machine code.

Assembler required you to know registers, C and C++ require you to free memory resouces. Java requires you to open/close files

Re:Speed issues aside

[endx7]

So you, um, write software in machine code?

Higher level languages exist because it is tedious and error prone to need to code every last bit (pun intended) of instructon required by the CPU to do any work. The higher level the language, the more insulated you are from the machine code.

True, I like some insulation (it'd be difficult without it), but I like to avoid too much. In the very least, I think it's a good idea to know what's going on behind the magic curtain, and hiding what's going on to much

Not just speed

[Sparks23]

It's more than just speed issues. Interpreted languages have better runtime checking and thus can avoid things like buffer overruns, yes. That's great for a lot of things, don't get me wrong. For backend programs, Java is an absolutely brilliant language, as it encourages some much better object-oriented design philosophies. Even Objective C handles some runtime checking far better than C or C++, though as it is a set of extensions to C it suffers from the same weaknesses in C code.

But what is the JVM written in? I guarantee you it isn't Java. :) Last I checked, the original Java Virtual Machine was written in C...after all, you can't run Java bytecode without something to interpret it. Similarly, I bet you most Just-in-Time Java compiler/interpreters are also written in C or C++. Even the programs which take Java code and turn it into a binary executable likely are linking it against a library which was written in C or C++.

Similarly, at my old job, I had to write low-level drivers for PCI hardware we were developing. Did I get to write these drivers in Java or C#? Of course not... you can't write low-level hardware calls such as Windows VXD files in an interpreted language; it'd really kill the performance of a system.

Just for a moment try to imagine someone writing, say, a new video driver for the Linux kernel in Python, or rewriting XFree86 in Java.

Ow. :)

Moreover, while Java makes it a great deal harder to, say, create a remote root exploit through a buffer overrun, it does not automatically fix problems of, say, cryptographic strength. Creating an encryption algorithm for some vital data which can be easily broken is as much a security hole and a flaw as a buffer overrun.

So while you're correct in some places -- Java and Python and C# and other interpreted languages that can do more stringent runtime checking of things really /do/ solve some problems which traditional lower-level languages are more vulnerable too -- modern interpreted are not a panacea for all programming ills. They aren't suitable for all types of programming, and even for the ones they are well-suited for, they don't automatically solve all security issues.

In general, the lower-level the language, the more easily you can mess it up; ASM is even easier to fry things in than C or C++. It becomes a tradeoff, with the lower-level languages giving you progressively greater efficiency and the ability to access things 'down on the metal', with higher level languages -- while slower and more abstracted -- able to shield you from more mistakes, and more portable between situations.

Each has their place. I wouldn't want to write a web-client that ran database queries in ASM, but Java works great. Conversely, I wouldn't want to write a driver for an AGP graphics card in Python, but ASM or C works pretty well right there. ;)

Re:Not just speed

[varjag]

Interpreted languages have better runtime checking and thus can avoid things like buffer overruns, yes.

*SLAP*

There's no such thing as 'interpreted' or (compiled for that matter) language: particular language implementations are.

There are C interpreters and Java compilers around (check out GCJ, which compiles to native code).

And of course, any Turing-complete language interpreter/compiler can be written in any other Turing-complete language, so no, one don't have to implement compilers in C.

Re:Not just speed

[Sparks23]

Very true, but the most common implementations of the Java, C#, Python, etc. languages are interpreted. Your average Java developer is, at least in my experience, not using GCJ.

Perhaps I misunderstood the original post which I was replying to, but the poster seemed to be making the point that Java and C# -- being interpreted -- fixed all security problems. I concede that an interpreted language fixes some problems because the nature of interpreted code makes it possible to catch some things at runtime (a

Re:Speed issues aside

[viega]

This isn't true whatsoever. Only the most glaring issues are fixed. Currently, we're working on a Java Secure Programming Cookbook, and we'll get around to C# after that.

We do a lot of code auditing, and find about 4-5 serious security problems per thousand lines of code of C and C++ code. In languages like Java, we still usually find 1 or 2 such problems.

Re:Speed issues aside

[viega]

Good question. They're generally problems that one would find in an implementation done in any language. However, there are plenty of language-specific problems for other programming languages. Some of the most glaring exist for PHP and Perl.

Also, note that many programming languages are implemented in C, and have had or might have security problems relating to that. I've seen such problems in several common scripting languages. It is like that there are plenty of other problems like that waiting to

Re:We really need a different language

[wordisms]

Has anyone tried Cyclone? [att.com]

I've heard of it, and I know someone talked about it at DEFCON this year. Has anyone tried it for production applications, or just for proof of concept?

Re:We really need a different language

[pVoid]

Microsoft is moving to languages with managed types [...]overwhelming majority of Microsoft security holes would have never happened

Are you somehow recommending a kernel be written in something else than C??? Sure, not all systems software is kernel mode C, but you have to realize that unless the underlying infrastructure is built (on some low level language), you can't have high level languages... in other words, the bottom line is Assembly. You have to build your way to it.

Now that said, the buffer overflow isn't the only security hole in the world, in fact more security holes come from very very high level, very abstract programming fallacies... such as for example the cookie exploit (it's a logical bug) that Hotmail had a while back.

All this being said, I feel like a dirty karma whore right now (feeling the slimey breath of modders down my neck), so I'll say it right out: I'M PRO MICROSOFT.

<runs for cover>

Re:We really need a different language

[RetroGeek]

Now that said, the buffer overflow isn't the only security hole in the world, in fact more security holes come from very very high level, very abstract programming fallacies... such as for example the cookie exploit (it's a logical bug) that Hotmail had a while back.

There is a difference between a programmer error (buffer overflow) and a design problem.

If you can use a language which reduces programmer error, then you can spend more resources working on proper design.

Computers Existed Before C

[Detritus]

20+ years ago I used an operating system that was written in Pascal. There have been commercial operating systems written in FORTRAN, PL/I, LISP and other languages.

Re:We really need a different language

[William Baric]

Are you somehow recommending a kernel be written in something else than C?

Personally I never understood why C was so popular. In particular I never understood why people thought of C as a powerful language. I don't know about the parent post, but for me I do recommend writing a kernel with something else. A mix of Ada and assembly would be my choice (yes, I know I'll get flamed for saying "Ada").

but you have to realize that unless the underlying infrastructure is built (on some low level language), you

Re:We really need a different language

[varjag]

> Are you somehow recommending a kernel be written in something else than C???

Um.. why not?

> you have to realize that unless the underlying infrastructure is built (on some low level language), you can't have high level languages... in other words, the bottom line is Assembly.

Yes, but the next level don't have to be C.

We already HAVE the different language.

[rjh]

It's called LISP.

(And before anyone says "... but you can't write a kernel in LISP!", there are several LISP Machines out there which beg to disagree with you.)

Re:We already HAVE the different language.

[dmiller]

It's called LISP.
(And before anyone says "... but you can't write a kernel in LISP!", there are several LISP Machines out there which beg to disagree with you.)

Yes, very true. "Several" is an excellent estimate of the number of LISP machines sold.

Re:We already HAVE the different language.

[MalleusEBHC]

(And before anyone says "... but you can't write a kernel in LISP!", there are several LISP Machines out there which beg to disagree with you.)

Who needs to write just a kernel in LISP when there is emacs, a complete OS written in LISP?

Re:We already HAVE the different language.

[Anonymous Coward]

I agree that they didn't sell that many Lisp machines (maybe a few tens of thousands?). But you are mistaken in your comment about architecture: the Lisp machines only ever had half a dozen instructions that made them different from mainstream CPUs. In fact one of the many reasons for the demise of Lisp machines was that Lisp compilers of mainstream architectures got good enough that they could compete with the Lisp-optimized machines. In principle there's no reason you couldn't run a Lisp kernel on a mo

Re:We already HAVE the different language.

[Raffaello]

This is just silly - existing commercial lisps compile to machine code, same as c, or fortran, or ada, etc. Current lisp implementations run on stock hardware, on all the major platforms - Windows (XP,ME, NT, 9x, Dos), Linux (ix86, sparc, ppc), Mac OS X (and Classic), and various Unices.

OS kernels are not written in lisp because Unix was written in C, so everyone mistakenly believed that C was *the* language for OS kernel implementation. However, this is simply not so. Any language compiler that can generate machine code can be used to write an OS kernel.

Re:We really need a different language

[Electrum]

They happen because A) most code is written in C or C++, and B) everyone makes mistakes (even the finest open source developers overlook simple buffer overflows).

That's not true. qmail [cr.yp.to] and djbdns [cr.yp.to] do not have security holes. They were written using secure coding techniques that make them immune to things like buffer overflows. You can't "overlook" a buffer overflow with stralloc [cr.yp.to].

Re:We really need a different language

[slamb]

qmail and djbdns do not have security holes.

Bah. That they do not have security holes is implausible, if not actually impossible, to prove. It's hard to even define what a security hole is; a changing threat model has "caused" many security holes. (Is an open relay a security hole? I say yes. Twenty years ago, everyone said no.) I doubt your statement. I can't point at a hole right now, but I have confidence that at least one security hole will eventually be discovered in those programs.

They were written using secure coding techniques that make them immune to things like buffer overflows. You can't "overlook" a buffer overflow with stralloc.

No, they make it easier to avoid buffer overflows. They don't prevent them: I quote from your hyperlink:

A stralloc structure has three components: sa.s is a pointer to the first byte of the string, or 0 if space is not allocated; sa.len is the number of bytes in the string, or undefined if space is not allocated; sa.a is the number of bytes allocated for the string, or undefined if space is not allocated. A stralloc variable should be initialized to {0}, meaning unallocated.

Applications are expected to use sa.s and sa.len directly.

If they use sa.s and sa.len directly, they can screw up and increase len inappropriately. The API seems good in that it makes it much harder to do things wrong, but it is hubris to say it makes you invulnerable. Besides, buffer overflows are possible for things other than strings, so this solves only (the most common) part of the problem. And there's still the legacy code that people can use without porting to stralloc.

It does seem like a good library if you're stuck using C. Another alternative is APR, which makes managing all sorts of memory allocations much easier. Pools are handy things when dealing with a language that primitive.

But there are languages in which it actually is impossible to have a buffer overflow. Please don't confuse the issue by saying that this (which makes it somewhat easier to avoid this error) makes the error impossible.

Re:We really need a different language

[Malcontent]

"but I have confidence that at least one security hole will eventually be discovered in those programs."

qmail is very widely used and deployed (they claim it's the second most popular smtp program) and it has never been hacked. If it has held up so far I am pretty sure it's unbreakable.

Re:We really need a different language

[Snoopy77]

Now that you've got off your high pony, the problem is not necessarily the tools. As the site points out, buffer overflows can be avoided in C/C++. The whole point of the site is to try and improve coding practices.

And don't think that just because Microsoft is switching to managed types that they are all of a sudden going to fix bad coding practices. Sure it may reduce the effect of bad coding but it won't single handedly catapult Microsoft into security heaven.

Go back in your cave troll.

Re:We really need a different language

[viega]

I would actually argue that the most common security problem in software systems is likely NOT the buffer overflow. Yes, the most common thing to see in places like bugtraq, etc. is the buffer overflow, but this is because people know how to find them and turn them into exploits ( and, the consequences are running code on a remote machine, which is pretty severe).

However, C and C++ are a fairly small part of the market these days, too. All the market data I've seen recently suggests that no more than 1/3 of commercial development is in one of these languages. It's probably less.

And, there are plenty of security problems that apply to all languages, such as problems in authentication systems that provide the attacker some kind of leverage (e.g., practical guessing attacks), other misuse of cryptography (e.g., misapplying SSL) and other generic input validation problems (e.g., SQL injection). These things come up in all languages, and are things people frequently get wrong.

Re:We really need a different language

[defile]

I recommend Python.

Open source, expressive (very short code can achieve a lot), readable (very short expressive code is easily groked -- fewer bugs), no direct pointer manipulation (safe -- fewer bugs), integrates nicely with other languages, runs on a variety of platforms, very easy to learn.

Re:We really need a different language

[Dun Malg]

I recommend Python. Open source, expressive (very short code can achieve a lot), readable (very short expressive code is easily groked -- fewer bugs), no direct pointer manipulation (safe -- fewer bugs), integrates nicely with other languages, runs on a variety of platforms, very easy to learn.

Python is good for some things, but it's hardly a 1:1 replacement for C/C++. While it may be somewhat better in some areas, interpreted languages have certain shortcomings that make them unsuitable as replacements

Re:We really need a different language

[axxackall]

Python is good for some things, but it's hardly a 1:1 replacement for C/C++. While it may be somewhat better in some areas, interpreted languages have certain shortcomings that make them unsuitable as replacements for compiled languages in many cases. Such as anything rquiring small size or fast execution...

I think you exagurate a lot here, when you use the word many to advocate C, and the word some applying to Python and other interpreters. I think that in most of projects (by amount of projects and by a

Re:We really need a different language

[Omnedon]

Open Source developers, on the other hand, arrogantly believe that they are immune to mistakes. They somehow overlook the countless exploits discovered in their own code (more than 500 in Debian over the past 4 years).

Overlook? Hardly.

Most open source models encourage reporting of exploits so they can be fixed. (more than 500 in Debian over the past 4 years). How many of those are STILL exploitable? How long between when an error is found and a fix is available?

Your argument is common and entirel

Re:At last!

[viega]

I dunno about that. There's a lot of software being exposed on that server, just through apache. It wouldn't surprise me if there were some 0-day out there affecting one of those things.

Re:wrong assumptions abound

[viega]

It's easier to eke speed out of C, largely because there's no pesky security ;-)