Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #67617
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!xlned.com!feeder7.xlned.com!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.018 |
| X-Spam-Evidence | '*H*': 0.96; '*S*': 0.00; 'tree': 0.05; 'binary': 0.07; 'compiler': 0.07; 'socket': 0.07; 'currently,': 0.09; 'happen.': 0.09; 'stack,': 0.09; 'truncated': 0.09; 'type;': 0.09; 'subject:How': 0.10; 'cc:addr:python-list': 0.11; 'bug': 0.12; 'wrote': 0.14; "wouldn't": 0.14; '10:05': 0.16; 'charles': 0.16; 'elsewhere.': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'porting': 0.16; 'roy': 0.16; 'simpson': 0.16; 'subject:security': 0.16; 'targeting': 0.16; 'tcp': 0.16; 'truncation': 0.16; 'unexpected': 0.16; 'exception': 0.16; 'weird': 0.16; 'wrote:': 0.18; 'code.': 0.18; 'module': 0.19; 'trying': 0.19; 'basically': 0.19; 'memory': 0.22; 'cc:addr:python.org': 0.22; 'certainly': 0.24; 'cc:2**0': 0.24; 'header:In-Reply-To:1': 0.27; 'am,': 0.29; 'message- id:@mail.gmail.com': 0.30; 'along': 0.30; "i'm": 0.30; 'code': 0.31; 'url:wiki': 0.31; 'constant': 0.31; 'discovery': 0.31; 'languages': 0.32; 'alone': 0.33; "i'd": 0.34; 'could': 0.34; 'something': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'c++': 0.36; "didn't": 0.36; 'reports': 0.37; 'too': 0.37; 'level': 0.37; 'being': 0.38; 'problems': 0.38; 'mapping': 0.38; 'issue': 0.38; 'rather': 0.38; 'little': 0.38; "couldn't": 0.39; 'space': 0.40; 'ensure': 0.60; 'even': 0.60; 'eventually': 0.60; 'results.': 0.60; 'solve': 0.60; 'most': 0.60; 'entire': 0.61; 'high': 0.63; 'happen': 0.63; 'places': 0.64; 'become': 0.64; 'provide': 0.64; 'more': 0.64; 'management': 0.65; 'hours': 0.66; 'here': 0.66; 'mar': 0.68; 'smith': 0.68; 'money': 0.72; 'connection.': 0.74; 'article': 0.77; '50%': 0.78; 'low': 0.83; 'blow': 0.84; "else's": 0.84; 'interference': 0.84; 'malicious': 0.84; 'python-dev': 0.84; 'care,': 0.91; 'careful': 0.91; 'opens': 0.91; 'to:none': 0.92 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=ZVQNXm8mmGYVmkOpmHGkCiKOg4g89J5FhqWyf5MJc4s=; b=nzuOAzsTxskSyK+z4K5btAy+eP0AerYkTtxU56iohktrM2yGKlQjEg2NbrwbKL7UT7 M9y+LjPjnedyp9CGLSUtWm9GAEbVq7VUKGFxRlx47Y6mkfP1ukWoHhoghLHlthd9TyL0 Dd59+anjJsGuMn8i9RH7C3I5+c3Iz8RAQ9GnEwmh7fNUztbo8sWPmk3tGGTTZriERW7Y d/EdUa+KRjBdyqEgVlvRorAbCnfJ9TyOYgg9uTjzfrwxt+3n8luLGkdmJMmSyLl+La9D OqoFceGct643bfq1oZ86V93Lgjm1rYqRsGYAvqvu8JWirrxduaQbDpmjNEp4POFTPPn8 l/Tw== |
| MIME-Version | 1.0 |
| X-Received | by 10.68.233.200 with SMTP id ty8mr22354056pbc.1.1393889763331; Mon, 03 Mar 2014 15:36:03 -0800 (PST) |
| In-Reply-To | <roy-F4C234.18050803032014@news.panix.com> |
| References | <lf22t1$sgh$1@ger.gmane.org> <mailman.7670.1393885170.18130.python-list@python.org> <roy-F4C234.18050803032014@news.panix.com> |
| Date | Tue, 4 Mar 2014 10:36:03 +1100 |
| Subject | Re: How security holes happen |
| From | Chris Angelico <rosuav@gmail.com> |
| Cc | "python-list@python.org" <python-list@python.org> |
| Content-Type | text/plain; charset=UTF-8 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.7681.1393889767.18130.python-list@python.org> (permalink) |
| Lines | 44 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1393889767 news.xs4all.nl 2866 [2001:888:2000:d::a6]:38746 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:67617 |
Show key headers only | View raw
On Tue, Mar 4, 2014 at 10:05 AM, Roy Smith <roy@panix.com> wrote: > In article <mailman.7670.1393885170.18130.python-list@python.org>, > Cameron Simpson <cs@zip.com.au> wrote: > >> On 03Mar2014 09:17, Neal Becker <ndbecker2@gmail.com> wrote: >> > Charles R Harris <charlesr.harris@gmail.com> Wrote in message: >> > > >> > >> > Imo the lesson here is never write in low level c. Use modern >> > languages with well designed exception handling. >> >> What, and rely on someone else's low level C? > > Don't laugh. http://c2.com/cgi/wiki?TheKenThompsonHack I don't think malicious interference with C compilers is the issue here, so much as the constant discovery of flaws in honestly-written C code. Currently, I'm porting a MUD client from C++ to Pike. On average, a hunk of code shrinks by about 50% during the translation, mainly because I can let memory management happen elsewhere. (Sometimes the difference is even more dramatic. I wrote my own binary tree in the C++ client, because the compiler I was targeting at the time didn't provide a suitable mapping type; now, I just call on the language's facilities, and it's more efficient and takes no code whatsoever. That's basically one entire module eliminated.) Along the way, I'm noticing myriad little issues around the place, where too much data would result in something being truncated (I was careful in most places to ensure that it couldn't blow the stack, although I certainly wouldn't bet money that I was perfect on that score), and the truncation could have unexpected results. Malformed data coming in over a TCP socket would eventually consume all the buffer space and then make the client think the other end had closed its connection. That one I knew about and didn't care, but there were others that were weird and esoteric and would *most likely* never happen. Writing low level code opens you up to a huge collection of weird behaviours that might, at best, become bug reports that you spend hours trying to solve. At worst, they become exploits. Yes, high level languages have their own attack vectors, but I'd much rather have the entire python-dev team working to solve my problems than me alone :) ChrisA
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Re: How security holes happen Cameron Simpson <cs@zip.com.au> - 2014-03-04 09:19 +1100
Re: How security holes happen Roy Smith <roy@panix.com> - 2014-03-03 18:05 -0500
Re: How security holes happen Chris Angelico <rosuav@gmail.com> - 2014-03-04 10:36 +1100
Re: How security holes happen Andrew Cooper <root@127.0.0.1> - 2014-03-05 00:52 +0000
Re: How security holes happen Gene Heskett <gheskett@wdtv.com> - 2014-03-04 23:27 -0500
Re: How security holes happen 88888 Dihedral <dihedral88888@gmail.com> - 2014-03-05 18:39 -0800
csiph-web