Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!xlned.com!feeder7.xlned.com!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.018 X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'tree': 0.05; 'binary': 0.07; 'compiler': 0.07; 'socket': 0.07; 'currently,': 0.09; 'happen.': 0.09; 'stack,': 0.09; 'truncated': 0.09; 'type;': 0.09; 'subject:How': 0.10; 'cc:addr:python-list': 0.11; 'bug': 0.12; 'wrote': 0.14; "wouldn't": 0.14; '10:05': 0.16; 'charles': 0.16; 'elsewhere.': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'porting': 0.16; 'roy': 0.16; 'simpson': 0.16; 'subject:security': 0.16; 'targeting': 0.16; 'tcp': 0.16; 'truncation': 0.16; 'unexpected': 0.16; 'exception': 0.16; 'weird': 0.16; 'wrote:': 0.18; 'code.': 0.18; 'module': 0.19; 'trying': 0.19; 'basically': 0.19; 'memory': 0.22; 'cc:addr:python.org': 0.22; 'certainly': 0.24; 'cc:2**0': 0.24; 'header:In-Reply-To:1': 0.27; 'am,': 0.29; 'message- id:@mail.gmail.com': 0.30; 'along': 0.30; "i'm": 0.30; 'code': 0.31; 'url:wiki': 0.31; 'constant': 0.31; 'discovery': 0.31; 'languages': 0.32; 'alone': 0.33; "i'd": 0.34; 'could': 0.34; 'something': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'c++': 0.36; "didn't": 0.36; 'reports': 0.37; 'too': 0.37; 'level': 0.37; 'being': 0.38; 'problems': 0.38; 'mapping': 0.38; 'issue': 0.38; 'rather': 0.38; 'little': 0.38; "couldn't": 0.39; 'space': 0.40; 'ensure': 0.60; 'even': 0.60; 'eventually': 0.60; 'results.': 0.60; 'solve': 0.60; 'most': 0.60; 'entire': 0.61; 'high': 0.63; 'happen': 0.63; 'places': 0.64; 'become': 0.64; 'provide': 0.64; 'more': 0.64; 'management': 0.65; 'hours': 0.66; 'here': 0.66; 'mar': 0.68; 'smith': 0.68; 'money': 0.72; 'connection.': 0.74; 'article': 0.77; '50%': 0.78; 'low': 0.83; 'blow': 0.84; "else's": 0.84; 'interference': 0.84; 'malicious': 0.84; 'python-dev': 0.84; 'care,': 0.91; 'careful': 0.91; 'opens': 0.91; 'to:none': 0.92 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=ZVQNXm8mmGYVmkOpmHGkCiKOg4g89J5FhqWyf5MJc4s=; b=nzuOAzsTxskSyK+z4K5btAy+eP0AerYkTtxU56iohktrM2yGKlQjEg2NbrwbKL7UT7 M9y+LjPjnedyp9CGLSUtWm9GAEbVq7VUKGFxRlx47Y6mkfP1ukWoHhoghLHlthd9TyL0 Dd59+anjJsGuMn8i9RH7C3I5+c3Iz8RAQ9GnEwmh7fNUztbo8sWPmk3tGGTTZriERW7Y d/EdUa+KRjBdyqEgVlvRorAbCnfJ9TyOYgg9uTjzfrwxt+3n8luLGkdmJMmSyLl+La9D OqoFceGct643bfq1oZ86V93Lgjm1rYqRsGYAvqvu8JWirrxduaQbDpmjNEp4POFTPPn8 l/Tw== MIME-Version: 1.0 X-Received: by 10.68.233.200 with SMTP id ty8mr22354056pbc.1.1393889763331; Mon, 03 Mar 2014 15:36:03 -0800 (PST) In-Reply-To: References: Date: Tue, 4 Mar 2014 10:36:03 +1100 Subject: Re: How security holes happen From: Chris Angelico Cc: "python-list@python.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 44 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1393889767 news.xs4all.nl 2866 [2001:888:2000:d::a6]:38746 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:67617 On Tue, Mar 4, 2014 at 10:05 AM, Roy Smith wrote: > In article , > Cameron Simpson wrote: > >> On 03Mar2014 09:17, Neal Becker wrote: >> > Charles R Harris Wrote in message: >> > > >> > >> > Imo the lesson here is never write in low level c. Use modern >> > languages with well designed exception handling. >> >> What, and rely on someone else's low level C? > > Don't laugh. http://c2.com/cgi/wiki?TheKenThompsonHack I don't think malicious interference with C compilers is the issue here, so much as the constant discovery of flaws in honestly-written C code. Currently, I'm porting a MUD client from C++ to Pike. On average, a hunk of code shrinks by about 50% during the translation, mainly because I can let memory management happen elsewhere. (Sometimes the difference is even more dramatic. I wrote my own binary tree in the C++ client, because the compiler I was targeting at the time didn't provide a suitable mapping type; now, I just call on the language's facilities, and it's more efficient and takes no code whatsoever. That's basically one entire module eliminated.) Along the way, I'm noticing myriad little issues around the place, where too much data would result in something being truncated (I was careful in most places to ensure that it couldn't blow the stack, although I certainly wouldn't bet money that I was perfect on that score), and the truncation could have unexpected results. Malformed data coming in over a TCP socket would eventually consume all the buffer space and then make the client think the other end had closed its connection. That one I knew about and didn't care, but there were others that were weird and esoteric and would *most likely* never happen. Writing low level code opens you up to a huge collection of weird behaviours that might, at best, become bug reports that you spend hours trying to solve. At worst, they become exploits. Yes, high level languages have their own attack vectors, but I'd much rather have the entire python-dev team working to solve my problems than me alone :) ChrisA