Re: libsafe and Debian installation
On Tue, 2002-04-23 at 07:44, Jeroen Dekkers wrote:
> On Mon, Apr 22, 2002 at 05:26:17PM -0500, Jeff Licquia wrote:
> > Unfortunately, no one is perfect. Are you claiming the title? If you
> > are, thanks for letting us know; we need to start auditing all of your
> > projects right away. :-)
>
> I don't think you will find buffer overflows in my code. At least not
> any overflow libsafe would protect against. If you don't want to know
> all details of string manipulation use a higher level language. If
> you want to program C and want to manipulate strings do it right.
You didn't get my joke, even with the smiley. This could mean that you
just don't have a sense of humor, or it could mean that you're
dangerous.
If you really believe that you're incapable of making mistakes just
because you know something about the (im)proper use of strcpy(), then
you're an accident waiting to happen.
> > The best security plan makes use of layers. This way, a screwup on one
> > layer has a chance of being compensated for on another. That's why we
> > still have both tcp-wrappers and ipchains, for example.
>
> The best security thing is to write clean code and make the system
> less vulnerable by the design of the system.
This is absolutely, positively incorrect. Nothing could be further from
the truth.
If your security model depends on everyone doing design and code work
being perfect, then your security fails the moment someone makes a
mistake. This means your security falls fairly quickly, since everyone
overlooks things, makes mistakes, etc. OTOH, if you design your
security system in a layered fashion, with failsafes, then there's a
chance that your mistake will be covered by some other check. If the
other failsafe logs its activation, so much the better; you'll be
notified of a problem in your code, and you can fix it.
I'm not faulting clean code and good design here. Every little bit
helps. But you're a fool if you trust in clean code and clean design as
your primary security bulwark.
> Every programmer with a little bit of experience can find the problems
> libsafe tries to protect you from. It only checks some functions of
> being misused. The list of functions according to the REAME are:
> strcpy()
> strcat()
> getwd()
> gets()
> [vf]scanf()
> realpath()
> [v]sprintf()
>
> Those functions are actually the most obvious buffer overflows. If
> programs with this kind of buffer overflows, I wonder what kind of
> other security programs it has. Saying that libsafe doesn't protect
> against buffer overflows is general, only the most obvious ones. It
> even gives you a false feeling of being secure.
I'll take your word for it, though I am suspicious. (strcpy() isn't
always a security hole, for example; it's possible to use it safely,
even if there are better ways to do the same thing.)
My main objection in this whole thread are these ideas you seem to have
that:
- new ideas aren't worth trying
- incomplete ideas aren't worth expanding upon
- you're incapable of making stupid mistakes
The former two just mean that you're cranky, but the last is troubling.
There are a lot of examples of people in history who made stupid
mistakes because they had an inflated sense of their own infallibility.
You should always have an innate fear of your own code, and should
always suspect it to be riddled with errors; that will prompt you to
look for them more closely. That is Rule One of secure programming.
The moment you catch yourself saying "I'd never do that" is the moment
you should do penance for having such thoughts.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: