Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

OSS Leftovers

  • DataBasin - object inspector and updates
    First, the underlying DataBasinKit framework got an important update.
  • In-demand dev skills, understanding licensing, and more open source news
  • Higher ed systems expanding access to open-source materials
    Open-source learning technology is at the core of higher education for institutions that want to reach broader audiences with very strict ideas about how convenient learning should be. But developing these initiatives does not happen quickly or easily. It requires strong leadership in information technology, expertise to determine which solutions work best for a campus, and a financial commitment to making sure the technology is sustainable.
  • Proxmark Pro Proxmark3 Standalone Open Source RFID Tester (video)
    Rysc Corp has unveiled a new open source board in the form of the Proxmark Pro which now offers a true standalone client and RFID test instrument, check out the video below to learn more. The Proxmark Pro will feature an FPGA with 5 times the logic cells of the Proxmark3 and will remove the need to switch between HF and LF bit streams during operation, to use developers.
  • ErupteD Brings Vulkan To The D Programming Language
    The D programming language is just the latest to have support for Vulkan alongside C++, Rust (via Vulkano, if you missed that project), Go, and many other modern languages getting bindings for this Khronos Group high performance graphics API. Should you not be familiar with the D language, see Wikipedia.

Leftovers: Security