www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - Discussion on avoiding security vulnerabilities in C++

reply Walter Bright <newshound1 digitalmars.com> writes:
http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat-trip-is-spoken-for/
Jul 12 2007
next sibling parent reply Lutger <lutger.blijdestijn gmail.com> writes:
Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 
 

Interesting post, particularly the comment about iterators. It raises the question what security related bug classes can be found in D and are to be aware of. I'm no expert on this matter at all but what comes to mind: - inappropriate use of delegates (messing with the stack) - array slices / array bounds errors - inappropriate use of destructors (but probably not common) Or to put it another way, if D will get popular enough via what language constructs will software written in it most likely be exploited? The garbage collector implementation may have some issues? But this is not part of the language I suppose. And the objection that bare-metal (pointers) access is possible is not that relevant imho, since 1) D is a systems programming language after all and 2) this feature is not something that is the default nor is it dressed up as in C++. Any other concerns / thoughts / recommendations?
Jul 12 2007
next sibling parent BCS <ao pathlink.com> writes:
Reply to Lutger,

 Walter Bright wrote:
 
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your
 -black-hat-trip-is-spoken-for/
 

the question what security related bug classes can be found in D and are to be aware of. I'm no expert on this matter at all but what comes to mind: - inappropriate use of delegates (messing with the stack) - array slices / array bounds errors - inappropriate use of destructors (but probably not common) Or to put it another way, if D will get popular enough via what language constructs will software written in it most likely be exploited? The garbage collector implementation may have some issues? But this is not part of the language I suppose. And the objection that bare-metal (pointers) access is possible is not that relevant imho, since 1) D is a systems programming language after all and 2) this feature is not something that is the default nor is it dressed up as in C++. Any other concerns / thoughts / recommendations?

Safe(er) delegate could be made by implicitly adding guards to stuff this |void fn() |{ | void nested fn(){} | | void delegate() dg = &fn; |} becomes this |void fn() |{ | long now = CPUTime; | struct Use | { | long then | void* pt | void nested fn() | { | assert(now == then); | | this = pt; // sudo code | goto _fn; // " | | } | } | Use* u = new Use; | u.then = now; | u.pt = StakFrame; | scope(exit) now = 0; | | | | void nested _fn(){} | | void delegate() dg = &u.fn; |} Replace delegates with function that do a chained call to the real thing after checking to see that a sentinel is correct.
Jul 12 2007
prev sibling next sibling parent Manfred Nowak <svv1999 hotmail.com> writes:
Lutger wrote

 what security related bug classes can be found in D

One of the main things I am after are protocols especially for interfaces. Not so arbitrary example: interface I{ void bind(); void connect(); void down(); void send(); void receive(); void close(); } One knows far too less form seeing this. This might be an interface for sockets where the sequence of the calls has to follow some restrictions that can be expressed by a regular expression or an even more complicated grammar. Let me assume a regular expression is enough: ("bind"|)(("connect"("send"|"receive")*("down"|))|)"close" D is currently unable to bind this information to an interface and enforce the appropriate call sequence in every class that derives from that interface. In case of a socket this might result in a resource leak when the call of the mandatory `close' is not enforced. If the optional `down' is also not called the socket might be open for an attacker ... -manfred
Jul 12 2007
prev sibling parent Clay Smith <clayasaurus gmail.com> writes:
Lutger wrote:
 Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

Interesting post, particularly the comment about iterators. It raises the question what security related bug classes can be found in D and are to be aware of. I'm no expert on this matter at all but what comes to mind: - inappropriate use of delegates (messing with the stack) - array slices / array bounds errors - inappropriate use of destructors (but probably not common) Or to put it another way, if D will get popular enough via what language constructs will software written in it most likely be exploited? The garbage collector implementation may have some issues? But this is not part of the language I suppose. And the objection that bare-metal (pointers) access is possible is not that relevant imho, since 1) D is a systems programming language after all and 2) this feature is not something that is the default nor is it dressed up as in C++. Any other concerns / thoughts / recommendations?

Currently, if you don't 'new' your class, you go to crash land. Isn't this a potential security problem? if (rare_path) { use_class_without_init.func(); }
Jul 13 2007
prev sibling next sibling parent reply Georg Wrede <georg nospam.org> writes:
Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

Lest anybody here has an insufficient awe and respect for Andrei, just read the above reference. Period.
Jul 13 2007
next sibling parent Sean Kelly <sean f4.ca> writes:
Georg Wrede wrote:
 Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

Lest anybody here has an insufficient awe and respect for Andrei, just read the above reference. Period.

I think there's an up and a down side to having your name be synonymous with "code no one understands." :-) Sean
Jul 13 2007
prev sibling next sibling parent Bill Baxter <dnewsgroup billbaxter.com> writes:
Georg Wrede wrote:
 Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

Lest anybody here has an insufficient awe and respect for Andrei, just read the above reference. Period.

Because the blogger uses the phrase "Alexandrescu-understandingy C++" ?? --bb
Jul 13 2007
prev sibling parent reply Walter Bright <newshound1 digitalmars.com> writes:
Georg Wrede wrote:
 Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

Lest anybody here has an insufficient awe and respect for Andrei, just read the above reference. Period.

Once you work through the complexities of the C++, what Andrei is doing is rather simple. It's just that C++ obfuscates everything <g>. It's like I attended a presentation by Scott Meyers which was an application of C++ template metaprogramming. Most of the presentation was about how to do arrays of types. With D, that's trivial (as tuples), and the presentation would have been over in 5 minutes.
Jul 13 2007
parent reply Sean Kelly <sean f4.ca> writes:
Walter Bright wrote:
 
 It's like I attended a presentation by Scott Meyers which was an 
 application of C++ template metaprogramming. Most of the presentation 
 was about how to do arrays of types. With D, that's trivial (as tuples), 
 and the presentation would have been over in 5 minutes.

I was trying to figure out how to determine the return type of a member function using C++ template code the other day. Something that would take me two seconds in D had me tearing my hair out in C++. The result is that I simply don't do much serious metaprogramming in C++ because the machinations required are often just a complete mess. In D however, it's so straightforward that in most cases a novice could understand it. This is a huge win IMO. Sean
Jul 13 2007
next sibling parent reply James Dennett <jdennett acm.org> writes:
Sean Kelly wrote:
 Walter Bright wrote:
 It's like I attended a presentation by Scott Meyers which was an
 application of C++ template metaprogramming. Most of the presentation
 was about how to do arrays of types. With D, that's trivial (as
 tuples), and the presentation would have been over in 5 minutes.


With C++, it's trivial too, if you pick up a pre-built version (as you automatically do when you pick up your D compiler). The corresponding talk for D could have been on how to implement this inside the compiler rather than as a library. The library version has the advantage of working with many different underlying compilers, which is a non-issue for D at this time (given that there are 1.5 competing D compilers).
 I was trying to figure out how to determine the return type of a member
 function using C++ template code the other day.  Something that would
 take me two seconds in D had me tearing my hair out in C++.  The result
 is that I simply don't do much serious metaprogramming in C++ because
 the machinations required are often just a complete mess.  In D however,
 it's so straightforward that in most cases a novice could understand it.
  This is a huge win IMO.

C++ will be on its second standard, with easy support for such things as extracting the return type of a function, before the D community is involved with straightjackets such as standardization. (There's a published ISO Technical Report for C++ which also provides some interim support for this via std::tr1::result_of, though that's markedly less elegant than the C++0x equivalent, and can trivially be implemented in terms of decltype.) If you're free to use the latest greatest D, you may well be free to use not-yet-standard C++ features too. In which case what you mention above is trivial in C++. I do tire of this silly C++ bashing. D's actually not bad; why not let it stand on its own merits rather than badmouthing the language which most directly inspired it? -- James
Jul 13 2007
parent =?ISO-8859-1?Q?Anders_F_Bj=F6rklund?= <afb algonet.se> writes:
James Dennett wrote:

 I do tire of this silly C++ bashing.  D's actually not bad;
 why not let it stand on its own merits rather than badmouthing
 the language which most directly inspired it?

I'm tired of C++ period. Whether it is bashing or praising, I would have preferred if D would stand on it's own instead. --anders
Jul 14 2007
prev sibling parent reply Steve Teale <steve.teale britseyeview.com> writes:
Sean Kelly Wrote:

 Walter Bright wrote:
 
 It's like I attended a presentation by Scott Meyers which was an 
 application of C++ template metaprogramming. Most of the presentation 
 was about how to do arrays of types. With D, that's trivial (as tuples), 
 and the presentation would have been over in 5 minutes.

I was trying to figure out how to determine the return type of a member function using C++ template code the other day. Something that would take me two seconds in D had me tearing my hair out in C++. The result is that I simply don't do much serious metaprogramming in C++ because the machinations required are often just a complete mess. In D however, it's so straightforward that in most cases a novice could understand it. This is a huge win IMO. Sean

I remember reading the original Kernigan and Ritchie C book back in 1980 something. I read it from cover to cover without a break, and thought wow! This is the language for me. After many years of diversions (often known as work) I finally got round to taking a serious look at D, and found the sensation much the same. We are all on the same side.
Jul 14 2007
parent Walter Bright <newshound1 digitalmars.com> writes:
Steve Teale wrote:
 I remember reading the original Kernigan and Ritchie C book back in 1980
something.  I read it from cover to cover without a break, and thought wow!
This is the language for me.  After many years of diversions (often known as
work) I finally got round to taking a serious look at D, and found the
sensation much the same.

D to me is as fun as the early days of C++, even more so, in fact. And it's good to be working with you again!
Jul 14 2007
prev sibling parent Georg Wrede <georg nospam.org> writes:
Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

While I read the article, and found quite a few (to me) new problems with C++, off-hand I don't have any D suggestions now. Additionally, the fact that Walter brings this issue up "just like that", should be telling of the way D is developed versus the competition! First, we're not scared of grabbing the bull by the horns. Second, having D as a one-man enterprise, gives us an immeasurable advantage over C++ and the like. The response time, the vigilance and the vigorousness that this needs, simply are not possible to match with the bureaucracy the competition (be it C++ or Java) are dragging around. Not to mention Walter's unfathomable experience as a compiler writer!! --- Multiply a thirty-percent advantage over ten years, and you wouldn't believe the result! And D is doing a whole lot better than that.
Jul 13 2007