User interface, security, and "simplicity"

James A. Donald jamesd at echeque.com
Tue May 6 20:27:48 EDT 2008 

 > > The same is true in the source code, unsafe
 > > practices are avoided globally, (e.g. both strcpy()
 > > and strncpy() are absent together with fixed size
 > > automatic buffers) rather than used with care
 > > locally. I won't bore you with all the
 > > implementation safety "habits", but there are many.

David Wagner wrote:
 > It's too bad that today such elementary practices are
 > something to brag about.  Perhaps one day we'll be
 > lucky enough that the answer to these questions
 > becomes more like "of course we use safe programming
 > practices; what kind of incompetent amateurs do you
 > take us for?".

Dynamic strings tempt people to forget about enforcing
length limits and forget about correctly handling the
case when the length limits are exceeded.

There is no such thing as a string with no maximum
length, merely strings of UNKNOWN maximum length.  If
one has dynamic buffers and fully dynamic strings, it is
always possible for an attacker to discover the
previously UNKNOWN maximum length, and exceed it,
causing the program to fail in a manner likely to be
useful to the attacker.

In any program subject to attack, all strings should
have known, documented, and enforced maximum length, a
length large enough for all likely legitimate uses, and
no larger.

If enforcing length limits, it is frequently advisable,
and often necessary, to use, not strcpy or strncpy, but
routines such as _mbscpy_s, string manipulation routines
which can, and frequently do, employ buffers of fixed
and known length, sometimes pre-allocated fixed length.

In C++, incomprehensibly obscure functions such as
_mbscpy_s should never be called directly, but rather
called through a template library that automatically
does the sensible thing when the destination parameter
is a fixed length buffer, and can be relied upon to
object when commanded to do the stupid thing.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list