Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

Samsung launches the Industry’s first 28-Megapixel APS-C CMOS Image Sensor – S5KVB2

Samsung, with the launch of the Tizen Samsung NX1 Smart Camera, has introduced a new 28 megapixel (MP) APS-C CMOS image sensor for digital cameras, which is said to offer superior light absorption thanks to the back-side illuminated (BSI) pixel technology and 65-nanometer (nm) low-power copper process. Read more

Samsung show off Tizen TV running on a Commercially available TV

Samsung Electronics showed off the very first Tizen-OS based smart TVs at Samsung Open Source Conference held at the Grand Inter-continental Hotel in Samsung-dong, Seoul. The reveal was shown as part of the ‘Overview on Tizen TV Architecture’ session. Read more

Hey, Android Users, Don't Buy the New iPhones

Tim Cook wasn’t kidding when he said the iPhone 6 and 6 Plus are the best iPhones ever. The new phones have bigger screens, run an operating system that allows users to customize their experiences in an increasing variety of ways, and even incorporate different kinds of keyboards. If you’re an iPhone user, there is no good reason to bat your eyes at fancy Android (GOOG) phones anymore. Read more

Breaking: Native Netflix support coming to Linux

Netflix is one of those few sore spots for Linux, thought technically it’s not that difficult to run Netflix on a Linux box, but it’s still challenging for an average user. We have good news for you. Read more