Re: Ada.Command_Line and wildcards

"Hyman Rosen" <hyman.rosen@xxxxxxxxx> wrote in message
news:1172587938.237094.134530@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 26, 7:34 pm, "Randy Brukardt" <r...@xxxxxxxxxxxxxx> wrote:
The problem is that if it doesn't fit, you can't recover

Granted, but that's not really the point. On a modern computer system,
given that it's reading input from a file or standard input, the
programmer can reasonably expect that there are at least many tens of
megabytes available to be allocated. Sure there can be inputs that
will exceed that, but then you're really in a different domain.

Think of it this way - when you decide to sort data, you need to
choose between internal and external sorts. You can't do that without
a notion of a threshold size. Clearly that size has increased over the
years. Reading input is similar. Many programs can now very reasonably
expect to read in their entire input into memory at once before
processing any of it, and if that's not going to work because of
allocation on the stack then there should be an alternative.

True, but recovery *is* the point if you're at all worried about security.
These days, you have to assume that all files and all other user input are
corrupted in some way. Ignoring the possibility is only legitimate for
programs only used in tightly controlled circumstances (and there are not
many of those).

It is OK to let the program run out of memory if that case can only cause a
DoS to the attacker. (Who cares if the attacker is served?) But running out
of memory can cause a DoS to *all* tasks in the program, and that could
cause a DoS to all users of the program.

Take our web server. It uses a fixed size buffer to read commands from the
Internet. Because of the behavior of the procedure Get_Line, if the command
is too long, it will merely be truncated (and the fact that that happened
can be detected). So even if the case isn't handled explicitly, nothing bad
could happen to anyone other than the attacker (and if it is handled
explicitly, the attacker simply will be given an error message). OTOH, the
function Get_Line would use an arbitrary amount of memory in that case. So,
if an attacker fed a sufficiently large command to the server, it could
cause the server to run out of memory and thus disrupt the other tasks
handling commands from other clients. That could result in a general DoS,
and that's not acceptable.

Thus, its really only safe to use function Get_Line in single-tasking
programs for which the failure to handle user input does not cause
corruption. There are of course many such programs, which is why we included
a function Get_Line. But it has to be used with care _ I worry that it will
not be, and thus some of Ada's security will be compromised.

In any case, current Ada supports what you want. So further griping on this
subject is uncalled for... (There are plenty of other subjects where you
could find a legitimate gripe...I recommend complaining about one of them.
;-)

Randy.


.

Relevant Pages

  • Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
    ... > You risk running out of memory. ... That's like saying "it's trivial to DoS Aho-Corasic if you know the ... DoS's and improvements via use of the Jenkins hash are most illuminating. ... > replacement policy gives the worst behavior since an attacker can flood ...
    (Focus-IDS)
  • Re: Working, slowly, on a BASIC.SYSTEM clone of sorts
    ... Interface more like DOS 3.3, with chr$recognized even in direct mode and ASM programs, and MAXFILES working like DOS 3.3. ... run under ProDOS because ProDOS has more "lower 48" memory available? ... Believe this, I tended to use that method to exec multiple commands at once, though, that's only a side-effect. ...
    (comp.sys.apple2)
  • Re: Working, slowly, on a BASIC.SYSTEM clone of sorts
    ... Interface more like DOS 3.3, with chr$recognized even in direct mode and ASM programs, and MAXFILES working like DOS 3.3. ... run under ProDOS because ProDOS has more "lower 48" memory available? ... another effect is that you can use the same DOS commands from ASM. ...
    (comp.sys.apple2)
  • Re: Port Application to 32 bit
    ... 640Kbytes memory barrier is causing a problem. ... I have not worked with DOS before so I am having difficulty get a ... DJGPP produces 32-bit PM code and uses DPMI. ...
    (comp.os.msdos.programmer)
  • Re: Accessing DOS & BIOS
    ... Many of you asked my why I needed to access DOS and the BIOS. ... You see the message "Error 3 Not enough memory." ... Instructions for creating a minimal DOS boot disk are in the Technical ...
    (microsoft.public.windowsxp.general)