On Mon, Apr 22, 2002 at 05:26:17PM -0500, Jeff Licquia wrote: > On Mon, 2002-04-22 at 16:49, Jeroen Dekkers wrote: > > On Mon, Apr 22, 2002 at 05:31:40PM -0400, Shaya Potter wrote: > > > I assume you means it's the wrong way to increase security. I disagree > > > with you. libsafe and good code are 100% orthogonal issues. good code > > > is the security blanket, libsafe is the safety net. > > > > No, good code doesn't have buffer overflows. You should just use > > dynamic allocation and memcpy() for example. > > Spoken like a good developer. > > Unfortunately, no one is perfect. Are you claiming the title? If you > are, thanks for letting us know; we need to start auditing all of your > projects right away. :-) I don't think you will find buffer overflows in my code. At least not any overflow libsafe would protect against. If you don't want to know all details of string manipulation use a higher level language. If you want to program C and want to manipulate strings do it right. > The best security plan makes use of layers. This way, a screwup on one > layer has a chance of being compensated for on another. That's why we > still have both tcp-wrappers and ipchains, for example. The best security thing is to write clean code and make the system less vulnerable by the design of the system. > So, if libsafe may potentially stop other people's screwups (maybe even > yours) from causing me problems, it's got my vote. Especially if it > warns me whenever it finds one. My screwups? I use dynamic allocation and memcpy(), I don't know how libsafe wants to protect against my screwups. > > > Lets say one is an administrator of his own machine on a cable modem. > > > Lets say that person is in the middle of finals, or ends up in the > > > hospital and is unable to update his machine. Something like libsafe can > > > provide a real boost in security. > > > > Let's talk about more people than 0.0000001% of our users. > > If you feel the need to assert that this is only 0.00001% more of our > users, please make sure you cross-post that to debian-user. I suspect > you'll get an education. :-) I was talking about the percent of those ending up in the hospital being unable to update the machine. > > I don't think libsafe will protect most of those systems. If libsafe > > is needed to warn an administrator that his machine has an insecure > > application then there is already something wrong. Any administrator > > who takes his job serious reads about security updated and patches his > > software. > > If libsafe warns when an app buffer-overflows, then consider this: > libsafe may be finding a problem no one else has yet. Or, possibly, a > problem that only the black hats know about at the moment. > > That would be a very valuable service. Every programmer with a little bit of experience can find the problems libsafe tries to protect you from. It only checks some functions of being misused. The list of functions according to the REAME are: strcpy() strcat() getwd() gets() [vf]scanf() realpath() [v]sprintf() Those functions are actually the most obvious buffer overflows. If programs with this kind of buffer overflows, I wonder what kind of other security programs it has. Saying that libsafe doesn't protect against buffer overflows is general, only the most obvious ones. It even gives you a false feeling of being secure. Note that getwd() and realpath() will fail on the Hurd anyhow because those function rely on the existance of PATH_MAX. > > > If the cons are too great for someone, i can accept > > > that they wont use it. But to say that there's a security reason not to > > > use it, to me seems like a very weak argument. > > > > I'm talking about that's wrong to provide it in the first place. And > > it *could* cause security problems. > > Perhaps libsafe isn't really useful yet. Maybe it won't ever be. If > you think this is the case solely because of its design, well, provide > some evidence. > > As for the "it could cause security problems" thing, well, so could any > software you install. Why is libsafe so special that it doesn't deserve > to exist because it might have flaws? It doesn't deserve to exist because the time should be spend fixing bugs and learning how to write good code instead of making workarounds for stupid programmer bugs. Jeroen Dekkers -- Jabber supporter - http://www.jabber.org Jabber ID: jdekkers@jabber.org Debian GNU supporter - http://www.debian.org http://www.gnu.org IRC: jeroen@openprojects
Attachment:
pgpRe55OC_jWC.pgp
Description: PGP signature