Security is the bits you disable before you ship

Russell Nelson nelson at crynwr.com
Wed Mar 16 11:05:57 EST 2005


Steven M. Bellovin writes:
 > That's not new, either.  I believe it was Tony Hoare who likened this 
 > to sailors doing shore drills with life preservers, but leaving them 
 > home when they went to sea.  I think he said that in the 1970s; he said 
 > this in his Turing Award lecture:
 > 
 > 	The first principle was security...  A consequence of this
 > 	principle is that every occurrence of every subscript of
 > 	every subscripted variable was on every occasion checked
 > 	at run time...  I note with fear and horror that even in
 > 	1980, language designers and users have not learned this
 > 	lesson.

This is true, however, I've seen Dan Bernstein (and you don't get much
more careful or paranoid about security than Dan) write code like
this:

static char line[999];

  len = 0;
  len += fmt_ulong(line + len,rp);
  len += fmt_str(line + len," , ");
  len += fmt_ulong(line + len,lp);
  len += fmt_str(line + len,"\r\n");
 

Of course, the number of characters that fmt_ulong will insert is
limited by the number of bits in an unsigned long, and both strings
are of constant length.

-- 
--My blog is at     blog.russnelson.com         | The laws of physics cannot
Crynwr sells support for free software  | PGPok | be legislated.  Neither can
521 Pleasant Valley Rd. | +1 315-323-1241 cell  | the laws of countries.
Potsdam, NY 13676-3213  | +1 212-202-2318 VOIP  | 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list