Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

LibreOffice 5, a foundation for the future

The release of the next major version of LibreOffice, the 5.0, is approaching fast. In several ways this is an unique release and I’d like to explain a bit why. Read more

Samsung Continues to Lessen Android Dependence

Samsung's partnership with members of the Linux Foundation appears to be bearing fruit. The partnership's mobile operating system -- dubbed Tizen -- is Linux-based. Samsung's initial Tizen phone rollout was rocky: The company's highly anticipated Samsung Z launch in Russia was quickly canceled last year, and the company blamed concerns about the ecosystem for the delay. Unfortunately, in many cases, ecosystem development presents a "chicken and egg" problem: Developers won't build apps until you have users, and users won't select your product until you have apps. Read more

Linux 4.2 Offers Performance Improvements For Non-Transparent Bridging

The Non-Transparent Bridge code is undergoing a big rework that has "already produced some significant performance improvements", according to its code maintainer Jon Mason. For those unfamiliar with NTB, it's described by the in-kernel documentation, "NTB (Non-Transparent Bridge) is a type of PCI-Express bridge chip that connects the separate memory systems of two computers to the same PCI-Express fabric. Existing NTB hardware supports a common feature set, including scratchpad registers, doorbell registers, and memory translation windows." Or explained simply by the Intel Xeon documentation that received the NTB support, "Non-Transparent Bridge (NTB) enables high speed connectivity between one Intel Xeon Processor-based platform to another (or other IA or non-IA platform via the PCIe interface)." Read more

Benchmarks Of 54 Different Intel/AMD Linux Systems

This week in celebrating 200,000 benchmark results in our LinuxBenchmarking.com test lab, I ran another large comparison against the latest spectrum of hardware/software in the automated performance test lab. Read more