The Mind Boggles
The BBC has a report on the Dangerous coding errors revealed. This is a list of the top mistakes made in creating programs that result in their being hacked.
The top two on the list just are just mind blowing for a relic like me:
CWE-20: Improper Input Validation
CWE-116: Improper Encoding or Escaping of Output
“Garbage In – Garbage Out” is a mantra that was once drilled into people at school. Input validation and output verification were a constant drum beat.
Maybe the rapid expansion of memory resources has caused the downfall of these standards, but people don’t realize that the Y2K problem was a reflection of the need to save the space that would be taken up by a 4 digit versus a 2 digit year. In the old days 2 bytes per record was a big deal.
Maybe the fact that the financial and business sector no longer have the overwhelming control of computing resources as they have become more general, has led to the lack of concern.
Whatever the cause, the fact that people design systems that don’t limit input and validate output, is stunning.
18 comments
Reminds me of a small chunk of code I recently reviewed:
1. It hard-coded a format string in two different places rather than use a constant — in a strlen statement, and in a sprintf statement.
2. It dynamically allocated memory for a buffer using the output of the strlen statement.
3. It then outputted a formatted string to that buffer using sprintf.
The problem arose when it was desired to change the output of the program. So the second string (the one in the sprintf) was changed. But not the first.
You know what happened next :-).
Changes I suggested to the programmer to keep it from happening again:
1. Use a #define to use the same string constant in both places (the strlen and the sprintf)
2. Use snprintf to prevent over-running the allocated buffer.
Sigh. Buffer overflows (CWE-119). They’re so, well, 1970s…
The buffer overflow is such a common technique for hacking, one would assume, apparently wrongly, that the possibility would be blocked as a manner of boiler plate, like garbage collection, something that is done automatically, reflexively.
The case you mentioned is one that I have seen and it always puzzled me, using constants is just easier to write, debug and maintain. There is a speed advantage to hard-coding, but it isn’t worth the trouble it can cause if you are trying to get something out the door.
One of the worst things about teaching IT is reading other people’s code and trying to understand some of their logic. C is the pits for that experience.
Thing is, in “C” there’s no (zero) difference caused by #define. It’s a macro, so it expands in both places to the exact same text. There was no (zero) reason to replicate that string in two different places without using a #define. Just laziness.
I have a lot of experience reading other people’s “C” code, and generally no problem doing it. Now Perl, on the other hand… one of our guys working on the Perl CGI for our product wanted me to review his code. I politely said, “I’ll review your screen layout, but get X to review your code.” (X being a senior programmer who does Perl every day). Understand, I know Perl and can write Perl — but my subset of Perl, which is different from someone else’s subset of Perl. Larry Wall gave five ways to do any task in Perl, and I chose one way as “my” way. Which means you put two Perl programmers together, and their programs are mutually unintelligible to the other.
Us computer geeks are our own worst enemy. Sigh.
The two biggest problems I regularly find (especially in any M$ code) are memory leaks and very poor garbage collection. It’s not as bad now as it was in W98 (you couldn’t have 98 running for more than a few days to a week without rebooting, unless you weren’t actually doing much with it). But there really is NO excuse for that poor coding standard from a company the purports to be the best in the World. Of course, we know that the reality is they care nothing about working code, only about cosmetics and getting the most money for minimal effort. I bet they spend more on marketing and legal fees than programming.
I’ve been having fun reading other people’s code lately for my project. Mainly PHP. I’ve found some really elegant code, and some very amateurish code. 🙂
I’m currently building a Linux server box running CentOS to emulate a typical hosting provider to test my sites for compatibility and hopefully minimize the time required to fine tune the system when uploaded to a host for the World to see. That’s fun. 😉
Mea culpa, Badtux, I plead insanity – I’m converting 30 year old code in a legacy language into a web application and I spent time with an IMac this afternoon that was a Christmas present of a friend who has been using WebTV. His kids thought he needed something better.
The local cable company gave him the modem, and cables for installation, but neglected to provide him with a user name or password – hilarity ensued with “Steve”, who sounded like he spent more time watching Bollywood than Hollywood, insisting that we must have those items, while I insisted that that was indeed the entire point of the call – to get them.
Well, “Steve” wasn’t authorized to release that information, and phone tag ensued.
My friend, who worked on the Saturn launch vehicle for NASA, was not convinced that the new technology was worth it.
In the end, he has back to all of the capabilities of WebTV on the IMac, which was all he ever wanted. I expect him to expand his horizons after a few months.
The difference of a compiler directive went right over my head.
As for reading code – I was reading the code of people trying to learn a language, which tends to get “creative”, especially when you have dozens of lines in a program that are never reached because of the ?logic? of the writer.
Regarding Perl and PHP, there are times in the last few months when I wish ADA had I/O capabilities built into the specifications because it has such strict rules for almost everything. There must be trade offs in the different available paths the language can take to supposedly reach the same conclusion, and it would be nice to know what they are.
I agree, Kryten, that housekeeping functions are the easiest to overlook when you are trying to get something out the door, and continual patching only makes matters worse. Sometime you have to say enough and re-write the whole thing to clean up all of the problems. With the bloated software around today, that is a major project.
Badtux, it must be nice to be able to control the entire environment for your products, and not simply have to deal with the introduced problems of something like Windows. One day, perhaps…
Heh. You should see the crap written for PCs. Packages are written and sold where input validation is nonexistent — and the companies buying or renting these packages apparently don’t realize that they need to be customized to validate a particular company’s inputs.
I loathe and despise programming for PCs — basically programming for networks.
But heck, you get what you pay for, an the folks in Bangalore can’t tell you what pitfalls you are buying — nor are you willing to pay for all that customization is going to cost.
So garbage is what you get, and what you are willing to pay for.
Scorpio´s last blog post..Israel
Ahhhh… LOL Reminds me of the first computer acronym I was taught when I was learning Fortran in ’78. GIGO. ‘Garbage in, garbage out’. I’ve often thought GIGO Corp would be a much more appropriate name for M$! 😉 LOL
Four months ago, I was given a new project, and four programmers who had never written a line of Python before, the problem being that my proof-of-concept that was to be expanded into the final product was written in Python, that being what my bosses had basically directed me to write it in after puking at the sight of my original Perl prototype (heh!). So yeah, I know the joys of proofreading code from folks who have no clue. At least they had the model of my own code to go from — and I deliberately wrote my own code in a canonical manner described in a *very* detailed style document that I put on the engineering Wiki and stressed heavily to them, and I was quite detailed in what objects I wanted to see and what I wanted the completed API to be. I’ve been in this business long enough to know that proof of concepts often get ordered to be turned into the real product and was prepared :-). But man, I was working my tail off correcting their code for the first couple of months…
It is indeed a joy being a Linux penguin. We even have our own Linux distribution at work, albeit derived from Red Hat Linux, that has various kernel features in it for our products to do stuff that our competition doesn’t do simply because our competition hasn’t done the kernel work to do what we’re doing. With Microsoft, what you buy is what you got. No source. I’ll put up with that on my personal desktop, but bet my business on Microsoft? Uhm, no.
Sad to say, my days of having complete control over the environment are coming to a close, since management has decided that a Palm-Palmsource type split is the best thing for us. And some of the people who might OEM the new software product won’t be running it on our Linux distribution but, rather, on their own. Sigh. Oh well, as long as my paycheck keeps coming, it’s still better than the alternative. A guy at Microsoft wanted to hire me (!), hmm, do I continue working on a halfway sane platform, or do I go to work for the Borg? Heh. Hard choice. (NOT!).
– Badtux the Linux Penguin
Badtux´s last blog post..Cabin fever
nyah nyah nyah nyah nyah nyah! i don’t have to do any of that coding stuff anymore! 😛
of course, data conversion, and teaching the formerly-paper-bound luddites to use these new-fangled contraptions we call computers, that has its own set of joys. 😀
It’s an absolute fact, Scorpio, that with Windows software you will never get more than you are willing to pay for, because it is such a hemorrhoid to write for the system. The upgrade to Vista shows why, you don’t know if what you write is going to be acceptable in the next version, and if you try shifting to the new version too soon, you have something that won’t work on the old system, and may not work on the final version of the new system.
One of the pieces of software I used a lot had their new version delayed for six months after it was ready to ship because it was dependent on a Microsoft product, that Microsoft couldn’t deliver a year after its projected release.
If you belong to Microsoft’s developers subscription service they dump on you constantly and charge you four figure amounts to do it.
A lot of good people have produced bad software because of Microsoft, which is senseless given their resources. They are more interested in profit than product.
Kryten, I just want you to know that there is no truth to the rumor that dictators have tried to hire the team that wrote the MS warranty to write constitutions for their countries.
Control is the name of the game, Badtux. When you don’t have to worry about operating system problems, it’s a whole lot easier to debug.
Well, you couldn’t expect to stay in programmers paradise forever.
The new Palm phone looks promising, even if it does require Sprint. Fortunately I don’t have that problem, because we will never get a system that is capable of handling any of them. When my brother visited with his iPhone, all he did was bitch about the lousy service he got on the local system. We will remain in the dark because the carriers don’t see the profit potential.
Data conversions should always be done in assembler, there’s no excuse not to, Hipparchia [well, other than time and money, but that’s just not very exciting.]
Oh, yes, I did WebTV to IMac today and it was a thrill. I’m going to get a call tomorrow, I just know it. I inadvertently taught him how to delete things. [Sigh]
Hopefully you didn’t teach him how to empty the trash :-).
-BT
Badtux´s last blog post..Cabin fever
Good heavens, No. I’ve known him since Coke came in a nickel glass bottle, and I’m not going to teach him that.
I’ll let his son do it, so I can blame him.
LOL That reminds me of a job I did for a friend’s sister a couple months ago. She’d accidentally deleted her Resume and had no backup (of course). She was in a panic, and trying to get her to do anything over the phone was impossible. So I had to go over there.
I asked if she’d emptied the windows recycle bin, she said “What’s that?” (she just finished a BA BTW) . I had a look at her desktop, located the bin icon (which was showing that it had trash) and double clicked. It took awhile to open! She hadn’t emptied it since she got the PC over a year ago. Took a little while to locate her resume, and I asked if that was the one, she said she thought so. So I right-clicked and selected ‘restore’ and started Word, and the file was the one she wanted. She was amazed! *shaking head* She found a few other things she accidentally deleted, then I emptied the trash, and she was surprised how long it took but also how much faster Windows was when I rebooted. 😉 LOL
What do they teach in schools these days? *sigh*
Having been an administrator on an instructional system, I can state categorically that they don’t teach them to clean up after themselves, which is good on a lot of systems. Undeleting was one of the reasons I made big bucks on DOS systems.
assembler. hehe. my mad programming skillz have devolved to the point where somedaze i need someone to hold my hand just to get around in sql.
In some ways assembler is easier to write than SQL, but you have to write a lot of it to get much done.
If you start with assembler, then it is a lot easier to learn other languages, kind of like learning Latin before you tackle the other Romance languages.