Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Update: Web browsers - a mini-farce (MSIE gives in)

from [Tim Newsham] Network Security [Permanent Link]
Subject: RE: Update: Web browsers - a mini-farce (MSIE gives in)
Date: Fri, 29 Oct 2004 09:20:40 -1000 (HST) 
You don't have to understand how to exploit a buffer overflow in
order to avoid overflowing buffers.


But you have to think of a buffer being overflowed to check for
it.


Anyone who doesn't understand that a finite-size container cannot hold more
than what it can hold is unlikely to manage to write software.


Michael, the entire premise of your posting is that a programmer
can write secure code without knowing what constitutes exploitable
code.  I'm going to have to strongly disagree.

It might be the case that a programmer recognizes that there is
a bug present when there is a fixed sized container and its possible
to put more into it than it should be able to contain.  Even this
is not always the case.  Heck, I write software and sometimes
there are buffer overflows in my own code that I dont recognize
at first, and I get paid to analyze software looking for problems
like this.

But lets assume that a good programmer is writing software and
it comes to his attention that there is a buffer overflow, or
that user input is not being filtered, or that user input is being
passed to a printf type function.  What happens next?  Well, it
depends on how many bugs there are, how much other work needs
to be done, and very importantly, what the perceived impact of
that bug is.  You cannot imagine how many times a bug is pointed
out and the author of the software says "ok, that bug can only
happen if the user does something stupid, and it is not exploitable.
Lets defer that one."  It turns out that these bugs are exploitable
a lot more often than most non-security people know.  It can even
be hard for people who do this for a living to make the proper
determination without lots and lots of analysis and head banging,
but that's another discussion...

In summary, I think its very important that software writers understand,
at least in some minimal way, what constitutes an exploitable security
vulnerability.  You cannot expect to write code that is free of
security defects without understanding the principles.  (Ok, in fairness
you can't really expect to write code that is free of security
defects even when you understand the principles, but at least it
helps).


Michael Wojcik
Principal Software Systems Developer, Micro Focus


Tim N.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Update: Web browsers - a mini-farce (MSIE gives in), Tim Newsham
Next by Date:  Re: Update: Web browsers - a mini-farce (MSIE gives in), infamous41md
Previous by Thread:  Re: Update: Web browsers - a mini-farce (MSIE gives in), Michael Shigorin
Next by Thread:  RE: Update: Web browsers - a mini-farce (MSIE gives in), David Brodbeck
Indexes:  [Date] [Thread] [Top] [All Lists]