Recent Features
| |||||||||||||
LCA: Lessons from 30 years of SendmailLCA: Lessons from 30 years of SendmailPosted Feb 3, 2011 0:32 UTC (Thu) by dskoll (subscriber, #1630)In reply to: LCA: Lessons from 30 years of Sendmail by HelloWorld Parent article: LCA: Lessons from 30 years of Sendmail
Yet another reason not to use C. For anything. OK, sure. Avoiding C magically fixes security problems. Not. Avoiding C greatly reduces the risk of certain security problems (buffer-overflow, stack smashing) assuming the non-C language is implemented securely. It does nothing about other security problems like race conditions, unsafe /tmp files, incorrect input sanitization (eg, SQL injection problems), etc, etc....
(Log in to post comments)
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 1:09 UTC (Thu) by HelloWorld (guest, #56129) [Link]
> OK, sure. Avoiding C magically fixes security problems.
Did I claim this was the case? No, I didn't. But it does help, and not just because more modern languages are memory-safe.
> Avoiding C greatly reduces the risk of certain security problems (buffer-overflow, stack smashing) assuming the non-C language is implemented securely. It does nothing about other security problems like race conditions, unsafe /tmp files, incorrect input sanitization (eg, SQL injection problems), etc, etc....
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 4:44 UTC (Thu) by wahern (subscriber, #37304) [Link]
In C there's a concept called `FILE' for this. In Unix (C, shell) it's called `pipe'. `Threads' are processes where all `inter-thread' communication must be done through one of those devices. Shared-memory parallel programming with manual synchronization was popularized by Windows and C++ coders. Why? Because `processes' were too heavy weight, too slow, and too cumbersome... kinda like the excuses people use when they don't want to use a scripting language.
C doesn't have a sophisticated typing system, but that has little to do with the issue of not being able to write a "sanitized string" type. Just the idea of sanitized string sounds wrong to me. If it's not an ASCII, NUL-terminated array of characters, then it's not properly called a string in C terminology.
Type abstraction is often the root cause of security bugs. For example, you could treat a password as a sub-type of string. But strings as commonly understood almost universally support the concept of truncation. But if you truncate a password horrible security repercussions result. So why would you want to treat it like a string at all?
Strings also usually support the notion of concatenation. So take HTML. You could keep an HTML document as a string, but HTML has a hierarchical structure, and prepending or appending data to a complete document results in garbage.
Just exclude those methods, one says. Well (1) the fact that you must exclude already exposes you to mishaps and bugs the same as forgetting to bounds check an operation in C, and (2) what are you left with when you exclude all the unnecessary and possibly dangerous operations? Not much.
Buffer overflows in C usually are the result of people trying to treat everything like a string; they want to slurp data into a string or array, and then manipulate it in that form. That's a horrible way to write software, whether in C or any other language. It just so happens that if you do it in C you're susceptible to more attacks than if you do it in, say, Java; but the solution isn't to write the bad code in Java; it's to stop writing that kind of code at all.
Using the best language for the particular job also helps. Writing parsers has always been easier for me to do in C because of pointers, and the ability to write very concise state machines. A parser is really a way to consume a string, character by character, and transform it into some other structure. So when people tell me that handling strings in C is more difficult, I don't know how to respond. It's certainly more difficult to juggle and manipulate strings in C. But if that's how you're processing string input in any language, you're probably doing it wrong. If I'm parsing an e-mail message, I'll construct a tree of objects by consuming a stream of characters. I may store the message, or parts of it, as a character "string", but only as an immutable object that I never need to manipulate; outputting it later, if necessary. So I rarely care about the difficulty of manipulating strings in C, because I rarely need to do that.
I tend to use general purpose scripting languages for things _other_ than string processing, like executing complex rules or transformations of structures of objects. For still other things domain specific language are preferable.
Of course, if all you want to do is hack out a script to process some data (as Perl is popular for), then have at it. But don't fool yourself that your script is any more secure than if written in C. There are probably several times more remote execution bugs in scripting language built applications than C applications, just because of improper use of strings.
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 10:00 UTC (Thu) by Thomas (subscriber, #39963) [Link]
"For example, you could treat a password as a sub-type of string. But strings as commonly understood almost universally support the concept of truncation. But if you truncate a password horrible security repercussions result. So why would you want to treat it like a string at all?"
You got it the wrong way round. Strings [a concatenation of bytes] can support truncation but don't have to.
Cheers,
String manipulation bugs Posted Feb 6, 2011 19:08 UTC (Sun) by man_ls (subscriber, #15091) [Link] (2) what are you left with when you exclude all the unnecessary and possibly dangerous operations? Not much.Immutable strings. As seen in Java, Python or Lua. Safe, flexible, and only occasionally slow enough to use other options. If you remove the main cause for the most common security bug, and nobody complains, then in my book that is a good decision. There are probably several times more remote execution bugs in scripting language built applications than C applications, just because of improper use of strings.String manipulation bugs I can live with. Security holes are unacceptable. A language where every bug must be considered a security bug is too hard for me.
LCA: Lessons from 30 years of Sendmail Posted Feb 12, 2011 23:07 UTC (Sat) by ofranja (subscriber, #11084) [Link]
"Type abstraction is often the root cause of security bugs. For example, you could treat a password as a sub-type of string. But strings as commonly understood almost universally support the concept of truncation. But if you truncate a password [...]"
I think you wanted to say LACK of abstraction.
If password is not exactly a string, you should have created a "password" type with proper operations and associated semantics.
Do not ever consider "C" as an example of "complete type system", unless you also consider a Ford T an modern vehicle.
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 21:05 UTC (Thu) by dskoll (subscriber, #1630) [Link] Did I claim this was the case? No, I didn't. But it does help, and not just because more modern languages are memory-safe. They also tend to be slower (often a lot slower) and more memory-hungry. Unfortunately, if you want the ultimate in performance on a UNIX-like system, you're stuck with assembly, C or C++. Assembly is clearly the wrong tool for most applications, and IMO C++ is a monstrosity that adds a ton of garbage to C without really making it any safer. I can see writing most things in safer languages. But your MTA has to be fast and efficient, which is why we don't see many (any?) widely-used MTAs written in anything but C or C++.
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 21:34 UTC (Thu) by foom (subscriber, #14868) [Link]
> But your MTA has to be fast and efficient
I'd dispute that: I bet you could write an MTA in *Ruby* and it would be perfectly good on today's computers for all but the largest sites. There's not that much mail volume, and computers have gotten a lot faster...
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 21:44 UTC (Thu) by dskoll (subscriber, #1630) [Link] I bet you could write an MTA in *Ruby* and it would be perfectly good on today's computers for all but the largest sites. Go for it. Report back when done.
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 22:06 UTC (Thu) by foom (subscriber, #14868) [Link]
No thanks. I have no interest in writing a new MTA, nor in writing any Ruby code. :)
But I will point out that many large mailing list installations run on mailman, which is written completely in Python. That seems to be performant enough.
And spam filtering of email content is frequently done with spamassassin -- written in Perl.
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 22:40 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
Mailman is not a MTA.
it manages the list of users that the MTA will send mail to (a low overhead activity)
it validates messages sent to the list (it handles each message once, before it gets multiplied by potentially several orders of magnitude as it's sent out)
LCA: Lessons from 30 years of Sendmail Posted Feb 4, 2011 11:08 UTC (Fri) by paravoid (subscriber, #32869) [Link]
Have a look at Lamson, then.
LCA: Lessons from 30 years of Sendmail Posted Feb 4, 2011 19:42 UTC (Fri) by dskoll (subscriber, #1630) [Link] From the "About Lamson" page: However, as great as Lamson is for processing email intelligently, it isnt the best solution for delivering mail. There is 30+ years of SMTP lore and myth stored in the code of mail servers such as Postfix and Exim that would take years to replicate and make efficient. Being a practical project, Lamson defers to much more capable SMTP servers for the grunt work of getting the mail to the final recipient.
LCA: Lessons from 30 years of Sendmail Posted Feb 5, 2011 0:17 UTC (Sat) by dskoll (subscriber, #1630) [Link] And spam filtering of email content is frequently done with spamassassin -- written in Perl. Indeed so. We use Perl (including SpamAssassin) to filter our mail. In terms of memory size, SpamAssassin on our system is about 70MB per instance vs. about 9MB for Sendmail. (To be fair, we use a lot of other Perl modules apart from SpamAssasssin in our filter.) And when it comes to performance, SpamAssassin is so slow relative to Sendmail that Sendmail becomes completely negligible. Bolting anything in Perl onto Sendmail is like towing a five-ton truck with a motorcycle. :)
LCA: Lessons from 30 years of Sendmail Posted Feb 5, 2011 0:43 UTC (Sat) by foom (subscriber, #14868) [Link]
Yes. Perl is an order of magnitude slower than C. Furthermore, spam filtering is inherently a harder job than mail routing. Yet, Spamassassin is *still* fast enough! Thus my claim: MTAs don't need to be written in C.
But writing a new MTA from scratch now is pretty pointless, no matter what language it's in.
LCA: Lessons from 30 years of Sendmail Posted Feb 5, 2011 17:13 UTC (Sat) by dskoll (subscriber, #1630) [Link] Thus my claim: MTAs don't need to be written in C. That's probably true, 99% of the time. But again, MTA authors tend to worry a lot about performance and tend to write their software to cope with huge amounts of mail. I believe that's the correct approach because even a small site can suddenly get a huge spike in traffic for various reasons (eg, a spammer does a massive joe-job spam run.) You don't really want your email to fall over.
LCA: Lessons from 30 years of Sendmail Posted Feb 26, 2011 13:07 UTC (Sat) by job (guest, #670) [Link]
Spam filtering is very different from general mail routing. You might find a better example in qpsmtpd.
It is (almost) pure Perl and in use at quite a few large installations including the Apache project.
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 21:58 UTC (Thu) by HelloWorld (guest, #56129) [Link] Assembly is clearly the wrong tool for most applications [...]But your MTA has to be fast and efficient, which is why we don't see many (any?) widely-used MTAs written in anything but C or C++.When C was invented, compilers were primitive, and it was trivial to produce assembly code that would run faster than the equivalent C code. Yet, people decided in the 1970s to port the single most performance-critical piece of code - the UNIX kernel - to C, because that made it portable and generally easier and more pleasant to program. Nowadays, machines are faster by orders of magnitude, and there are actually quite a few safe programming languages that allow one to produce efficient code: Go, D, ATS and many others. More are being developed, such as Rust. Yet, people nowadays refuse to accept a negligible overhead over C (say, 20%, which is the goal set by the Go language), and this seems just bizarre to me. I believe that the main reason for sticking with C is simply inertia. "We've always done it that way!"
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 23:38 UTC (Thu) by dskoll (subscriber, #1630) [Link] Yet, people nowadays refuse to accept a negligible overhead over C (say, 20%, which is the goal set by the Go language), and this seems just bizarre to me. I believe that the main reason for sticking with C is simply inertia. "We've always done it that way!" I don't think that's the reason for sticking with C (it's not my reason, anyway.) Here are my reasons:
LCA: Lessons from 30 years of Sendmail Posted Feb 4, 2011 2:51 UTC (Fri) by HelloWorld (guest, #56129) [Link] I have a lot of experience with C and I like it. There's certainly something to be said for familiarity.I don't mean to insult you, but this is exactly the mindset I mean. It's just another way of saying "because I always did it that way", really. C is old and well-tested.Being well-tested helps against bugs. It doesn't help one bit against design mistakes (except if you change the design, but that never happened to a meaningful extent for the C language (I guess that's what you meant with "keeping C true to the original C spirit")) There are many C libraries and tools available, far more than for newer languages.Any decent language has a foreign function interface for calling C functions. And at least some of them, like D, make it absolutely trivial to create bindings. In some cases, a 20% performance hit isn't worth it. An MTA on a busy mail system is one of those cases. While it's true that most mail systems are not that busy, MTA authors rightly attempt to make their MTA as fast and reliable as possible.No, they don't. C won't give you the fastest possible result, assembly will (portability is not an excuse, use a portable assembly language like LLVM assmbly). Yet, people seem to think that C is somehow the be-all and end-all of programming languages when it comes to performance - it's preposterous!
LCA: Lessons from 30 years of Sendmail Posted Feb 4, 2011 3:19 UTC (Fri) by dskoll (subscriber, #1630) [Link] I don't mean to insult you, but this is exactly the mindset I mean. Meh... everyone tends to like tools he/she is familiar with. That's just human nature. Maybe some Perl or Ruby fanatics will eventually write an MTA in their language... Any decent language has a foreign function interface for calling C functions. But... but... then you're back in dangerous territory, no? No, they don't. C won't give you the fastest possible result, assembly will (portability is not an excuse, use a portable assembly language like LLVM assmbly) OK, now I know you're just arguing for the sake of argument. :) That's totally ridiculous and you know it. Anyway... go ahead. Write a UNIX MTA in something other than C or C++ and see how it fares. The proof is in the pudding.
LCA: Lessons from 30 years of Sendmail Posted Feb 4, 2011 12:59 UTC (Fri) by james (subscriber, #1325) [Link] Using qpsmtpd for traps.spamassassin.org describes how SpamAssassin had been using Postfix on a donated server for their spamtraps.Unsurprisingly, they were getting a lot of spam on that server, and postfix was having trouble keeping up. So they switched to qpsmtpd, "a flexible smtpd daemon written in Perl" which uses "Danga Interactive / Six Aparts insanely scalable event-driven asynchronous socket class". Justin reports: "results have been great we now have a pure-perl system handling heavy volumes without breaking a sweat, certainly compared to the previous system."
LCA: Lessons from 30 years of Sendmail Posted Feb 4, 2011 16:07 UTC (Fri) by dskoll (subscriber, #1630) [Link] I read that article. The problem with the Postfix solution was not Postfix, but the fact that they were filtering from a procmail-invoked Perl script. That's a huge fail. We run our Perl spam-scanner in conjunction with Sendmail, but we use the Milter interface to keep persistent Perl scanners running. The bottleneck in this system is by far the spam-scanning; Sendmail doesn't even show up on the radar.
LCA: Lessons from 30 years of Sendmail Posted Feb 5, 2011 1:23 UTC (Sat) by HelloWorld (guest, #56129) [Link] Meh... everyone tends to like tools he/she is familiar with. That's just human nature.This is another way of saying "I do it that way because I always did, but that's OK because everybody else does too.". But... but... then you're back in dangerous territory, no?Using a C library and writing the rest of the program in another language is still better than writing it all in C. OK, now I know you're just arguing for the sake of argument. :) That's totally ridiculous and you know itIt's not, you just didn't understand my point. You said that MTA authors attempt to make their software as efficient as possible, which, together with the fact that most MTAs are written in C, implies that C is the language you can write the most efficient software in. But this simply isn't the case: C is just one spot among many, many, many others on the efficiency-vs.-comfort curve. More specifically, it is not on the performance maximum of that curve, since that's where assembly language is. Yet, many (most?) people seem to believe that C somehow hit the perfect spot for "systems" programming. Even if that was true in 1970, people should start getting comfortable with the idea that it's not any longer.
LCA: Lessons from 30 years of Sendmail Posted Feb 5, 2011 1:51 UTC (Sat) by mjg59 (subscriber, #23239) [Link]
Yet, despite C++ having been available for so long, there's still a distinct lack of widely-used operating systems written in it. Good system programmers are often tend to be the ones familiar with the kernel underlying their code, and that means having to have a good grasp of C regardless of what you'd prefer to code in. There's a natural selection pressure in favour of C even if there are arguably better choices.
(The first significant codebase I worked on was C++, and I've probably still written more Perl than I have C)
LCA: Lessons from 30 years of Sendmail Posted Feb 5, 2011 17:10 UTC (Sat) by dskoll (subscriber, #1630) [Link] But this simply isn't the case: C is just one spot among many, many, many others on the efficiency-vs.-comfort curve. More specifically, it is not on the performance maximum of that curve, since that's where assembly language is. It's not a smooth curve. The transition from C to assembly involves a *huge* increase in the difficulty curve with a relatively modest increase in the efficiency curve. C is a just-high-enough/just-low-enough level language to hit a sweet spot in efficiency-vs-difficulty. But you already know this and are just arguing for the sake of it.
LCA: Lessons from 30 years of Sendmail Posted Feb 6, 2011 1:37 UTC (Sun) by HelloWorld (guest, #56129) [Link]
> But you already know this and are just arguing for the sake of it.
No, I merely disagree with you. C doesn't sit in a sweet spot, as there are many, many useful features that could be added without compromising efficiency, like templates, modules, proper macros and many more. Anyway, discussing this with you is obviously pointless by now.
LCA: Lessons from 30 years of Sendmail Posted Feb 4, 2011 7:34 UTC (Fri) by yoe (subscriber, #25743) [Link]
I find it interesting that you detract from C as an unsafe language by advocating for assembler.
LCA: Lessons from 30 years of Sendmail Posted Feb 4, 2011 23:45 UTC (Fri) by giraffedata (subscriber, #1954) [Link] I find it interesting that you detract from C as an unsafe language by advocating for assembler. He didn't advocate for assembler. It was reductio ad absurdum -- if fast is the only consideration, you would use assembler. Since you don't use assembler, fast is not the only consideration. Since fast is not the only consideration, maybe you should consider safety. Or lower development cost (with which you can probably pay for the extra hardware you need compared to the C or assembler implementation at the same speed).
LCA: Lessons from 30 years of Sendmail Posted Feb 5, 2011 2:07 UTC (Sat) by nybble41 (subscriber, #55106) [Link]
Actually, even if speed is your only consideration you are still likely to be better off using C rather than assembler where possible. A decent compiler can generate better-optimized code from C source than all but the best assembler programmers could write by hand.
That is not to say that there are no other relevant considerations, but other languages are not necessarily any safer or easier to develop in than C; it varies depending on the project. Sometimes there really is no other viable alternative. For example, the only other realistic systems programming language I know of is D, which (while otherwise a great language) is not as portable as C (yet), nor nearly as well established so far as libraries and tool support are concerned.
LCA: Lessons from 30 years of Sendmail Posted Feb 26, 2011 13:16 UTC (Sat) by job (guest, #670) [Link]
You are being inflammatory. The choice of programming language is clearly not the most important part of secure coding. Otherwise I'd expect you to run a Python based sshd on your system, no?
C is good because it is trivial and easy to read when done properly. Token expansion or resource exhaustion won't creep up on you from the underlying libraries.
There are of course other aspects to it. Given the choice between a C daemon and a Python one, without knowing the program I too would probably pick the latter one, but it all boils down to prejudice.
LCA: Lessons from 30 years of Sendmail Posted Feb 3, 2011 13:05 UTC (Thu) by nix (subscriber, #2304) [Link]
Of course buffer overflows are most of the security holes we've had in sendmail. BIND seems to be about evenly divided between that and DoS attacks (and I defy you to find a language that can avoid *those*.)
|
|||||||||||||