[Techtalk] Theory vs. practice
Julie
jockgrrl at austin.rr.com
Tue Jan 15 21:22:43 EST 2002
>
> On Mon, Jan 14, 2002 at 02:15:38AM -0600, Julie wrote:
> > What I'm describing has nothing at all to do with coding security. It
> > has everything to do with very basic (as in, first year university)
> > skills -- things like, oh, never copy more data into a buffer than it
> > can handle, validate your parameters, know what your code is actually
> > supposed to be doing.
>
> Ho hum, this is my third post in this thread along these lines, but some
> universities never teach these skills. For starters you can get a whole
> degree in some places using languages where you don't do memory
> allocation and never have to deal with overflowing buffers.
Yes, I certainly do understand that. But again, these are such
basic skills that I can't believe people see them as anything
special.
Before people figured out how to do buffer overflows (which I
think we can blame on Robert "Wormer" Morris, Jr. ...) those
sorts of bugs were just "bugs". You got a core dump, and then
you started over.
What I think of as "security bugs" is code like this --
if (stat (file, blah) == 0 && blah.st_uid == me)
chown (file, me, new_group);
where the fact that there is a race between the stat and the
chown exists. It's more like "unintended consequences of
properly written code" than "exploitable incorrectly written
code".
--
Julianne Frances Haugh Life is either a daring adventure
jockgrrl at austin.rr.com or nothing at all.
-- Helen Keller
More information about the Techtalk
mailing list