[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Off topic programming thread
- To: Bill Royds <full-disclosure@royds.net>
- Subject: Re: [Full-Disclosure] Off topic programming thread
- From: Brett Hutley <brett@hutley.net>
- Date: Wed, 29 Oct 2003 17:12:51 +1100
Bill Royds wrote:
A vulnerability on the list today is a perfect example of why C is
inherently an insecure programming language and why "thinking in C" is a
directo route to insecure code.
*code snipped*
If instead C allowed a header like
static void
defang( char* str, char dfstr[dfsize], int dfsize )
to indicate to the compiler that string dfstr should never be longer
than dfsize, then it could issue the hardware checks (using the CX
register in the LOOP instruction). Using C forces the programmer to make
no mistakes rather than allowing the compiler to at least warn of
possible flaws.
I think what you're really saying is that C allows programmers to make
mistakes when dealing with areas of memory. The above vulnerability is
based on a mistake in the code.
(If I was to code the above prototype BTW, I'd probably make it more
like "static void defang(const char *str, char *dfstr, unsigned dfsize)"
to indicate to programmers calling the function that the first
argument's contents is immutable, the second argument is the destination
buffer, and the size shouldn't be negative).
Note that you can also create "frameworks" for writing secure code in C
as well [at least as secure as any bit of code is :) ].
If you were to argue that java has much safer string handling, I'd point
out that many java environments are written in C and they provide an
*environment* for working safely with strings. At the end of the day in
these languages, the string comes down to a C structure and the various
functions to manipulate the string comes down (or could come down) to C
functions. Just because the C standard library provides functions like
strcpy() for working with null-terminated strings doesn't mean you have
to USE them!! The Windows API, for example, provides it's own string
routines for working with Unicode/Multibyte strings for example. The GTK
has another set of string routines and ways of defining a string.
After all, programming languages are just a metadata to generate machine
code. C has a small vocabulary, with each keyword representing a few
statements in machine code. Other programming languages generate far
more machine code per statement, but you have to live within the bounds
that the language designers have laid out for you. In the case of Java
you're playing in a sandbox, but if you shovel enough sand you'll come
across the C structures that create your programming environment :)
Cheers, Brett
--
Brett Hutley [MAppFin,CISSP,SANS GCIH]
mailto:brett@hutley.net
http://hutley.net/brett
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html