[Techtalk] Theory vs. practice

Raven, corporate courtesan raven at oneeyedcrow.net
Mon Jan 14 04:00:56 EST 2002

Heya --

Quoth Jenn Vesperman (Mon, Jan 14, 2002 at 06:28:30PM +1100):
> > A lot of what's out there today in terms of "practice" has very
> > little to do with formal security theory and more to do with really
> > bad coding.  For example, most of the security problems we see are
> > coding errors -- buffer overflows, parameter checking, software
> > races, and the like.  
> Yes, but programmers aren't being taught how to avoid these coding
> errors, or what errors to avoid.
	No kidding.  I know vaguely that not checking your input for CGI
scripts is bad (things like ' in input can cause large problems if not
properly dealt with by the script -- a username 

' or 0=0 

will always return true if the ' is not escaped or disallowed by the
script, because 0 always equals 0) and that buffer overflows can be
caused by not saying, essentially, "and if there's more data than buffer
space, return this error and stop writing to memory", but that's it.
Mostly I end up applying patches to fix things like this rather than
correcting the code.

	I'd love to see something like this discussed in the security
course or on techtalk, if some of the more experienced coders could give
a less fuzzy explanation.  Nobody seems to teach programmers these
things, though.

"You're some sort of nifty self-created non-categorizable thing.  I 
 don't know what to call you, so I can't curse you."
  -- Louis, regarding vituperation

More information about the Techtalk mailing list