[CLUE-Tech] OT: C code security - what to look for?

[Dale K. Hawkins]

Matt Gushee <matt at gushee.net> writes:

> Hmm ... I'm not sure if this is a problem or not. If someone could plant
> a C executable that accessed the wrapper library, it might be. But if
> somebody can plant arbitrary executables on my system, they can do just
> about anything they like without ever touching that library, right?
>
> Doesn't matter how indirectly I call the 'foo' function, the compiler
> will reject it as a type error.

[stuff deleted]

> Now, I suppose it is possible that an image object in OCaml could refer
> to an image that has been destroyed in the C code, but that's the only 
> way I can think of that it could be invalid and not be caught by the
> compiler.

As far as I know you are correct.  There are programming camps which
preach the check every invariant.  You can always make the claim that
this or that could "never" happen, but this is often how things fail.
I confess that I often take the simpler route.  I was more thinking in
terms of the worst case scenario; i.e., could someone figure out how
to fool the OCaml compiler and if they could, what damage could be
done.  I am aware that much of the suggestions could be considered
academic, but I also think that security is best achieved from the
ground up.

For example, if I can look at a function consisting of a handful of
rock-solid, bullet-proof, ass-kicking code and say without a doubt,
"hey, no one is going to get through that," then I can say the layers
which reside on top of that function are just as protected.

WARNING THE REST OF THIS COMMENT IS EXTREMELY PREACHY AND ANNOYING.
DO NOT CONTINUE TO READ IF YOU ARE ADVERSE TO THIS SORT OF THING.

<warning preachy-irritating-rant-mode>

To get off on a complete tangent in order to beat my point to death.
Should you ever get the chance, I recommend reading Richard Feynman's
"Personal observations on the reliability of the Shuttle".  One of the
main points which I read from this essay (at
http://www.fotuva.org/feynman/challenger-appendix.html among other
places), is the idea that systems built from the (very) bottom-up are
always better than those which are not.

Thus, security is ensured only by ensuring the security at very
foundation a program.  The "cost" of performing an assert or two pale
in comparison to the possibility of a security hole, IMNSHO (in my not
so humble opinion).

Making any code reasonably safe on the web is a pretty tall order.
Making it "hacker-proof" is a huge commitment.  Nothing should be left
to chance.

It is a far better thing to abort then to execute worm-code.

</warning preachy-irritating-rant-mode>

flame on.
-Dale