Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

LibSafe

  • 27-06-2000 3:33pm
    #1
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭


    Interesting library from Bell labs to try and prevent stack smashing exploits. Linux only at the minute unfortunately. http://www.bell-labs.com/org/11356/libsafe.html



Comments

  • #2
    anonym00se
    Closed Accounts Posts: 60 ✭✭anonym00se


    2 other things that might be helpful
    in this area

    * Stack guard http://immunix.org/stackguard.html

    *Unix secure programming FAQ
    http://packetstorm.securify.com/programming-tutorials/secure-faq.html

    [This message has been edited by anonym00se (edited 27-06-2000).]


  • #3
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by anonym00se:

    * Stack guard http://immunix.org/stackguard.html

    *Unix secure programming FAQ
    http://packetstorm.securify.com/programming-tutorials/secure-faq.html

    Well, both of these require source code but are certainly worth paying heed to.
    One quick point tho. Stack smashing exploits have existed at least in theory for as long as C has been around and yet they're still cropping up. Programmers should be better educated in safe programming practices, but they're not frown.gif
    What I mean is that buffer overflow exploits aren't going anyway, and I'm not sure that open source is going to ever get rid of them, because the facility for peer review doesn't guaruntee peer review or that your peer is going to spot your poor memory allocation/race condition/whatever.

    There was a good article covering a lot more of these issues recently at http://www.infosecuritymag.com/apr2000/cryptorhythms.htm

    So, I'm all in favour of building as much safety into the language as possible smile.gif



  • #4
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by bedlam:

    as his highness point out to, the secure programming faq is exactly what a programmer need. Granted it is nice to have things like libSafe and stackguard. But in the long run it just makes programmers sloppy, as end up relying on those tools too much.


    You're missing my point. LibSafe is not a development tool. Tools like these don't make programmers sloppy. Programmers are sloppy anyway. Either through ignorance, laziness, pressure for deadlines, whatever. Good coding guidelines have been around for years and we're still seeing bugs. The primary language for writing a unix application is still C (this isn't likely to change for quite some time) and the language contains no protection against human error in relation to guarding the stack or heap.

    Personally, I'm very confident in my C coding abilities and I've studyed (and restudyed) several safe coding guidelines. So, if I don't fsck up, then I should be able to spot potential flaws in design and coding etc and write a secure application. If I don't fsck up.

    Not every developer is going to
    a) spend two years studying/practicing this.
    b) going to know/care about this threat anyway.

    And even then, you're relying on no error on the part of the programmer. Personally, I think that there are enough security threats associated with program design and algorithm implementation for a coder to worry about already that are not so easily solved, so why not use a system that gives a the programmer less rope to play with?

    [This message has been edited by X_OR (edited 28-06-2000).]


  • #5
    spod
    Registered Users, Registered Users 2 Posts: 332 ✭✭spod


    sigh

    he's my hero.....


  • #6
    Trojan
    Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭Trojan


    Originally posted by bedlam:

    I still find it a rather sad state of affairs when there are all these guidelines, but people for reasons you stated dont actually adhere to them. If people are going to cut corners they should work in Burger King (lets face it much nicer food than McDonalds) instead.

    Hmm.

    Case in point: I was just talking to this 30yr old guy last week about programming, he says to me that he played guitar for 10 years (nothing wrong with that) and he's just got into programming "cos it's where the money is" (his, not mine).

    He taught himself html/Perl from a book 9 months ago, and he's working in a startup doing e-commerce sites. He says he's the sole CGI programmer.

    Does anyone else find this a bit scary?

    (For the record, IANASecurity guy, rather a programmer, and not very experienced at that.)

    I find the amount of standards to be followed, company stds, industry stds, security stds, quite daunting, but I understand the importance of such. There's too many fly-by-nights messing about who don't even know what a bloody RFC is.

    Al.

    PS. And supermacs is far superior to both.

    [This message has been edited by Trojan (edited 12-07-2000).]

    🎙️ The Recognized Authority Podcast



  • Advertisement
Advertisement