Loading ...
Sorry, an error occurred while loading the content.

Re: [hackers-il] origins of strncpy

Expand Messages
  • Elad Efrat
    sizeof was brought on a discussion as related, in some manner, to security and i believe was said (?) to be more secure when used without parentheses; that s
    Message 1 of 46 , Jan 12, 2005
    • 0 Attachment
      sizeof was brought on a discussion as related, in some manner, to
      security and i believe was said (?) to be more secure when used
      without parentheses; that's why i brought the openbsd example.

      and tzafrir, let's face it - linux is not the best OS available. it's not
      the most secure, Ulrich Drepper or the other no-named linux
      zealots on this thread aren't even making the slightest impression
      on me. if you take the fact that he's working for redhat it even
      *reduces* his status - i believe we all know how 'secure' redhat
      linux is. :)

      david wheeler mentions these functions. nearly every projects
      who's taking security seriously, including netbsd, freebsd, python,
      perl, php, and smaller software projects encourage the use of
      strlcpy()/strlcat(). so why do i have to trust this person, who's
      working for a commercial linux vendor with no respected
      security reputation, for anything he says?

      i dont accept any of the arguments in the thread you posted.
      i think you posted it just after a short google search for some
      arguments *against* the use of strlcpy()/strlcat(), which is
      pretty amature. the use of these functions *PREVENTS*
      your code from being exploitable. it does not mean it has
      no bugs - it merely means that these bugs don't get your
      entire machine owned by some 14 year old kid.

      what Ulrich Drepper is effectively saying is that the bugs
      should be fixed in a code audit that makes sure the code
      in the program is 'correct'. that, of course, is the ideal.
      looking further though we see that (again) openbsd is the
      only project actually doing this tree-wide source audit,
      and that's what it's known for.

      however, as the openbsd project recently agreed, the
      security of a host is not dependant only on the OS but
      also the programs running on it; and by layering security
      by means of both kernel and library secure routines you
      only give tools to the programmer with less room for
      mistakes, or reduce the effect of a mistake.

      as hard as it may be for you to understand, which i'm
      quite surprised at since you're in the technion and all,
      this is perfectly acceptable and agreeable in all levels
      of the open source world; that's the entire perception
      of niels provos' privilege seperation too - you enforce
      limits on what the program can do hence reducing the
      possible damage an attacker may cause.

      if mr. ulrich drepper or the other linux fans truly think
      that correct code is the way to go, then i invite them
      to start auditing all linux kernel and userland code,
      write patches for software packages (RPMs?) they
      consider insecure (after auditing them aswell) to
      make sure the users of their OS get the best security
      they can offer.

      until they do that, though, i invite *you* and
      everyone else to get off the tree you climbed to and
      understand that the linux developers are *not* the
      most security concerned developers in the world,
      and as much as linux is used and supported, it's
      security reputation isn't as good and respected
      as openbsd's.

      and, if we're already *that* off-topic, (heh) i
      suggest you waste your time reading the paper
      by ulrich drepper titled "Security Enhancements
      in RHEL", and then after you saw all the trash
      he's talking about, look at openbsd's W^X
      mechanism that solves all the problems he's so
      worried about (that strlcpy()/strlcat() solve too)
      and then proceed to read his hilarious arguments
      about how static linking is dangerous.

      once done, you can probably google for some
      more 5 year old commentary on a the de-facto
      standard in secure string copying and concatentation ;)

      >
      > On Wed, Jan 12, 2005 at 06:56:32PM +0200, Elad Efrat wrote:
      > >
      > > i find it funny that someone who's writing 'secure' code for a living
      > > has no clue about _snprintf() in win32. :) but then again - you're a
      > > hacker and i'm not.
      > >
      > > on an openbsd 3.6 system:
      > >
      > > $ pwd
      > > /usr/src/lib/libc/stdio
      > > $ grep sizeof *.c | wc -l
      > > 26
      > > $ grep -e 'sizeof[ ]*[A-Za-z_]' *.c | wc -l
      > > 0
      > > $ grep -e 'sizeof[ ]*([A-Za-z_]' *.c | wc -l
      > > 26
      > > $ cd /usr/src/sys/kern
      > > $ grep sizeof *.c | wc -l
      > > 579
      > > $ grep -e 'sizeof[ ]*[A-Za-z_]' *.c | wc -l
      > > 26
      > > $ grep -e 'sizeof[ ]*([A-Za-z_]' *.c | wc -l
      > > 498
      > > $
      > >
      > > i suggest you tell the developers of the most secure OS about
      > > your new secure programming technology of *not* using the
      > > pointless and rather useless (...) parentheses when using sizeof;
      > > maybe even remove it from the C standard.
      >
      > Adi wrote that this is basically a matter of style.
      >
      > If openbsd's conventions would prefer 'if(' to 'if (' or vice-versa
      > would that be such a proof that one version is more secure than the
      > other?
      >
      > >
      > > lots of suggestions, when it comes to secure programming, will
      > > look as a matter of style. that does not mean, however, that style
      > > is not also a part of secure programming. your style is considered
      > > left-overs, just like K&R function prototypes, the __P() macro,
      > > etc..
      >
      > And you have yet to support your claims with solid arguments.
      >
      > If strlcat and strlcpy are so perfect, why are they not in glibc?
      >
      > Read, for instance, the folloing thread:
      >
      > http://sources.redhat.com/ml/libc-alpha/2000-08/msg00052.html
      >
      > --
      > Tzafrir Cohen +---------------------------+
      > http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend|
      > mailto:tzafrir@... +---------------------------+
      >
      >
      >
      > Yahoo! Groups Links
      >
      >
      >
      >
      >
      >
      >
      >
    • omer mussaev
      ... Since when Guy Keren is microsoft? A link to MSDN was only to illustrate how UCS2 can be character as well. ===== -- o.m.
      Message 46 of 46 , Jan 19, 2005
      • 0 Attachment
        --- Elad Efrat <elad@...> wrote:

        >
        > > > In light of the above, Guy's advice sounds
        > pretty
        > > > reasonable, modulo s/char/TCHAR/g.
        > >
        > > No no... That's the whole point... sizeof should
        > refer to the
        > > _variable_, not to the _type_. I said that if
        > wchar use is an
        > > option, then it even makes sense to sizeof a
        > character array item.
        > > But _types_ should not be sizeof'd this way,
        > because the result is
        > > no better than well-documented constants.
        >
        > i thought we already agreed on this. are we not
        > taking
        > programming advices from microsoft? :)

        Since when Guy Keren is microsoft? A link to MSDN
        was only to illustrate how UCS2 can be character
        as well.


        =====
        --
        o.m.



        __________________________________
        Do you Yahoo!?
        Yahoo! Mail - Find what you need with new enhanced search.
        http://info.mail.yahoo.com/mail_250
      Your message has been successfully submitted and would be delivered to recipients shortly.