Re: gets() is dead

Flash Gordon wrote:

Tor Rustad wrote, On 21/05/07 01:47:

The *first* step in building a secure system, is to design and analyze
it *before* any programming has been started. That is the hard part, in
my experience.

Failing to analyze and design (in my opinion you analyze the problem
before you start the design) is also doing something you know is
insecure, so that is also covered by my statement :-)

Well, even the detailed design specs shouldn't be language specific. The
local C coding standard, will typically ban gets(), not your design
documents.


Now, after the spec has been implemented, time comes to testing and code
audit. When doing audit, both manual inspection and static analysis
should be done for safety-critical systems.

Agreed. Although secure and safety critical are independent attributes.
For example, I have worked on safety critical SW where security was not
a requirement (it was an embedded avionics system).

This is really off-topic, but if you re-read my post, I never said safety ==
security.

However, safety, "freedom from danger of risk", is hardly an *independent*
attribute from security. I know what you mean, but some safety-critical
systems, do need to protect against information leakage, others don't.

Denial-of-Service, is that a safety or a security attribute?

Your answer is not important, since we can agree that gets() is both a
safety *and* a security "bug", right?


OTOH, for a bank, the insider threat is a *major* concern. However,
banks want to make money, so they take calculated risks and in some
cases, higher risks than they are aware of.

Yes, I fully agree.

In my case it really is builders and accountants who are generally not
that knowledgeable about computing, and that factors in to the risk
assessment. There is a lot of money involved, but the chances of anyone
having the access and knowledge to mount a sophisticated attack without
also having sufficient permissions to not need to attack are really small.

If there is a lot of money involved... even threats with little probability,
can be highly relevant. One place I worked, had an insider attack ca. 15
years ago, where they got away with *over* 100 million dollars, which today
would be approx 400-500 million dollars?

The attack was mounted at a time when the company switched over to a new
security system. The insiders was supposed to watch each other, nobody knew
they where lovers. Approx 30 billion dollars passed through that system
each day.

An outsider will typically go after a few accounts on the front-end, while
the insider might very well strike the back-end... with devastating effect.
Main worry for a bank about the front-end, is negative publicity, not really
the money lost. However, avoiding full-scale attack on the back-end, can be
a question about staying in business or not.


Removal of gets(), will help clueless programmers, who are not building
secure software anyway. For professionals, gets() is a non-issue IMO.

Removal of it means there is one less thing to learn not to do and one
less thing for teachers to get wrong.

If a company lack automated tools to detect bugs like "gets", they don't
take safety and/or security issues very seriously. splint is even free.
There are also commercial tools out there, to enforce your "safe" C subset.

If you still worry, why not comment away the banned API's from the header
files?

Heck, you can scan the binaries, for banned function calls.

--
Tor <torust [at] online [dot] no>

.

Relevant Pages

  • Re: UL/ETL Choking the market
    ... If they mandate safety levels, it will take a LOT longer to do the tests ... due diligence and proper design analysis ... don't need to be tested, for example, I've attended Standards ... | Europe specific, but is much more sensible and there is no financial ...
    (sci.engr.lighting)
  • Re: Security and EOL issues
    ... OS software resources are designed that reserved ram and disk space among other resources, to reflect what current hardware size is available. ... (There was a security patch a few years ago that could not be applied to NT4 as it required more resources then NT4 could provide. ... Installing air bags requires that the automobile manufacturer design, test, ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Spyware S&D vs Spywarebot? ??
    ... useful work; and there are no design errors; and there are ... possible attack can cause; having people not involved in the ... every airline passenger to take their shoes off at the Security ... existence of Windows XP Service Pack 2 in the real ...
    (rec.arts.sf.fandom)
  • Re: I need a system the U.S. government cannot hack
    ... By way of a further excuse, using words such as 'hack', 'government' or ... The security requirements are driven in part by the costs associated with ... The bulk of the cost of box and wire systems is in the infrastructure --> ... While I can, and will, and am trying, to move ahead with my own design, ...
    (microsoft.public.security)
  • Re: I need a system the U.S. government cannot hack
    ... By way of a further excuse, using words such as 'hack', 'government' or ... The security requirements are driven in part by the costs associated with ... The bulk of the cost of box and wire systems is in the infrastructure --> ... While I can, and will, and am trying, to move ahead with my own design, ...
    (microsoft.public.security)