KHB: Failure-oblivious computing
Posted Jul 4, 2006 11:11 UTC (Tue) by evgeny
In reply to: KHB: Failure-oblivious computing
Parent article: KHB: Failure-oblivious computing
> Say a server has a block list which is consists of a dynamic part supplied by the IDS and a static part supplied by the administrator.
Well, any seasoned C programmer will notice that this is a very strange coding practice:
1) Why to concatenate the lists instead of checking first the static and then the dynamic part?
2) If the concatenation is for a reason indeed necessary, one'd do it the other way around, thus simplifying the compile-time optimization and run-time memory access patterns.
These alone would suggest the prorgam is badly written and perhaps shouldn't be trusted anyway.
However, a more seriously wrong assumption you made is that in the absence of the buffer clipping _any_ buffer overrun results in SEGFAULT. Alas, this is NOT the case. Otherwise, the issue of the buffer overruns would be considered only in the context of DoS. Instead, we're talking about executing practically anything, including the shell access (which is arguably much worse than failure to throwing a bad guy away right at the entrance). And even if that doesn't happen, an equivalent of the buffer clipping could take place. E.g.,
sprintf(buf, "Hello, world!\n");
works nicely here (i.e., outputting the entire "Hello, world!\n" string), instead of segfaulting. However, were there enough of code between the sprintf() and printf() lines, the result could be very different, including in theory the clipping right after the "Hell" substring, or any other type of garbling.
> Or, another example: A PHP app
All strings in PHP are dynamic... You should use a different language.
> checks user+password combinations with the following SQL command:
> SELECT * FROM users WHERE user='%s' AND password='%s';
Oh, just let's not return to this deadly beaten horse. You can read e.g. this nice article (http://lwn.net/Articles/185813/) and the very informative comments to it to understand that constructing an SQL statement directly from the user input is 99.999% garanteed to be vulnerable, even in languages that don't have the string buffer overrun problem.
Your examples above show signs of programming ignorance. On the contrary, the buffer overruns are periodically spotted in very mature pieces, written by very respectable programmers. They're often typos (or off-by-one miscalculations) than real mistakes. I wish libc had functions to deal with strings in a safe manner. sigh...
> To be honest, I think it is very worrying how some people here defend a broken idea.
Nobody said this is a silver bullet. As practically any other technique, it has a restricted area of applicability. (E.g., as mentioned in the original article, it certainly shouldn't be used in the scientific computing).
to post comments)