Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

OnePlus 5T review: Come for the value, not the excitement

OnePlus isn't interested in holding back on specs, features or capabilities to make a big reveal of a new phone just once a year. The scrappy company has settled in on a refresh cycle every six months, with a big release followed by a mid-cycle bump to bring in the latest things it's been working on. The OnePlus 5T isn't meant to be an innovative leap of technology that blows your socks off — and honestly, none of its predecessors have been particularly groundbreaking, either. Nope, the 5T is still about value, simplicity and being tuned for what the Android enthusiast crowd craves from its phones. At $479 there wasn't much about the OnePlus 5 you could find a flaw with. Now six months later with a bigger screen, new secondary camera, neat Face Unlock feature and a $20 price bump, it's a pretty easy equation to figure out. Read more

DragonBoard gains a camera kit

Arrow’s DragonBoard 410c Camera Kit combines the 96Boards SBC with D3’s DesignCore Camera Mezzanine Board OV5640 and a 5-megapixel camera module. D3 Engineering’s DesignCore Camera Mezzanine Board OV5640 is a 96Boards mezzanine add-on designed to work only with the Arrow Electronics/Qualcomm DragonBoard 410c. Arrow and D3 have now launched a kit that provides a DragonBoard 410c with the D3 board and a miniature 5-megapixel autofocus camera module. The kit’s Linux software runs on the 96Boards CE SBC’s quad-core Cortex-A53 based Snapdragon 410 SoC. Read more

OnePlus 5T review—An outstanding combination of specs, design, and price

After launching the OnePlus 5 earlier this year, OnePlus is back with an end-of-year upgrade for the device. The OnePlus 5T takes a winning formula—high-end specs with a low price tag and a metal body—and reworks the front of the phone to dedicate as much space as possible to the screen. This device has a new screen, a new button layout, a new fingerprint reader, and a new camera setup. It almost feels like a totally new device. We liked the OnePlus 5 from earlier in the year, but, with the more modern design, OnePlus has fixed OnePlus 5's biggest downside. The result is something that is extremely compelling—a $500 phone that makes you question exactly why you'd give $800 to those other OEMs when this has nearly everything the more expensive phones have. Read more

Linus Torvalds: 'I don't trust security people to do sane things'

Linus Torvalds has offered his thoughts on Linux security approaches, branding some security professionals as "f*cking morons" for focusing on process-killing rather than debugging. Torvalds, the creator and principal developer of the Linux kernel, does not often pull his punches when it comes to the kernel's behaviors and security. The engineer carried on the tradition over the weekend, as Google Pixel developer Kees Cook submitted a pull request for hardened usercopy changes for v4.15-rc1, which according to Cook, narrows areas of memory "that can be copied to/from userspace in the face of usercopy bugs by adding explicit whitelisting for slab cache regions." Read more Also: Linux creator slams security bods