“Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org’s security team to analyze, confirm, and fix these issues.”
Surely there should be some automated process just to go through and check for this kind of fundamental error.
And which automated process would that be? Coverity already have coverage over x.org and they are arguably one of the most effective automated tools.
Does it cover this kind of error?
“These calls do not check that the lengths and/or indexes returned by the
server are within the bounds specified by the caller or the bounds of the
memory allocated by the function, so could write past the bounds of
allocated memory when storing the returned data.”
Hi,
The problem is that for some languages (C, C++) it’s impossible to (e.g) tell the difference between a potential overflow that can’t happen, an intentional potential overflow that is meant to happen, and an erroneous potential overflow.
For a simple example consider this:
int foo(int b, int c) {
int a = b + c;
return a;
}
This is a potential overflow, but can it happen (you’d have to analyse all the callers to determine the range/s of values that might be passed), and if it can happen is it intentional?
The other problem is that these languages don’t support range limiting. For example, you can’t do something like “typedef int range 1 to 12 monthType;”. This means that if you solve the first problem you still can’t determine when something is out of range.
The end result is that it’s impossible for a tool to detect when a programmer has failed to validate data from an external source.
– Brendan
Brendan,
“The problem is that for some languages (C, C++) it’s impossible to (e.g) tell the difference between a potential overflow that can’t happen, an intentional potential overflow that is meant to happen, and an erroneous potential overflow.”
It’s true the C language doesn’t do a good job of allowing the programmer to express intent with regards to overflow. I’ve always been disappointed that it doesn’t even expose a carry flag given how indispensable it is for multi-word algorithms. In retrospect, it was a mistake not to expose overflow.
Many languages allow the compiler to handle numeric overflow, I don’t really know why C doesn’t.
http://www.codeproject.com/Articles/7776/Arithmetic-Overflow-Checki…
Still, an unchecked structural bounds overflow is far worse since the unbounded access to this structure (via indexes/pointers) can give an attacker a window to the entire process space. While C could help here by implementing range checked array access, there’s no trivial way to guarantee the validity of code that uses pointers. Of course, managed languages don’t bother offering them for this reason.
Use a proper systems programing language and make C and C++ join PL/I.
Failing that, only -Wall -Wpedatic -Werror, Lint and code review can help.
Can you think of such a language, whose implementations are fast enough for graphics-intensive work, and which interfaces well with other languages, though?
Without the former requirement, a number of core C/C++ libraries will always be required. Think of OpenGL itself, as an example, and often that alone is not enough.
Without the latter, you can make the most beautiful library in the world, but it will still largely fade into irrelevance, since only users of the programming language you have written it in can use it.
Edited 2013-05-24 06:09 UTC
Ada, Modula-2, Extended Pascal, ….
When I started coding in 1986, C was the language used to code for in the UNIX operating system, that was about it.
As for the C ABI, this is only relevant in the cases where the operating system ABI happens to be C compatible.
In the old days, C ABI was only relevant in the UNIX world.
z/OS, Symbian and the COM changes in Windows are a few examples of non C ABI compatible systems.
Do I have the right impression that the world has generally moved away from them?
I’m pretty sure that Ada and its various subsets are still used in the niche which the language was designed for, that is, mission-critical devices where software failure is an absolute disaster. Many teachers also seem to like it as a first programming language, arguing that it would enforce good programming practices better than other languages.
What makes me say that is, I regularly see it mentioned in online and real-world discussions which I happen to follow related to these two subjects (mission-critical environment and teaching). Of course, that’s not a reliable quantitative measurement of popularity, but qualitatively it does show that the language isn’t dead.
As for Modula-2 and Pascal dialects, however, I barely see these mentioned outside of history books and the OP’s comments, so I would be more pessimistic about them…
Edited 2013-05-25 06:38 UTC
You may have a look on Ada, which checking ranges by definition, is fast enough to work in real time systems, tasking, packaging and OOP is a native part of the language and it is designed to work well with other languages like C/C++. There is a Interface for OpenGL libraries all ready to use.
http://libre.adacore.com/
And if you want to check for programming errors more complicated to find like the posted one, you may have a look on SPARK, which is a subset of the Ada language to program with contracts and automatically prove your code as error free.
https://en.wikipedia.org/wiki/SPARK_%28programming_language%…
It must be warned that most Ada compilers actually don’t inject range checking code in practice unless specifically requested.
But it can still be controlled, while in C and C++ given the implicit decay of arrays into pointers and how many developers micro-optimize by using pointer arithmetic that is very hard to validate.
Even in compilers that have extensions for bounds checking.
std::array
But the point of my earlier comment was that it’s a useful thing to know for those not familiar with Ada so people don’t get caught out.
Edited 2013-05-24 11:34 UTC
Sure. I only place C++ in the same league as C due to its C foundation and it being unsafe by default.
Truth is, that C++ standard library offers ways to do safe programming and modern C++ is quite good, but there are still many companies out there that forbid modern C++ practices.
I only touched C one year long back in 1993/4, then jumped straight into C++, only using C when required to do so in university assignments and a project back in 2000.
I felt more at home in C++ as a Object Pascal refugee than with C.
At that point can you really say use this or that language to solve your problems?
The main thing I have learnt from the C programming language is that I could be doing the same things as the last language of the week, only in a more regular and deterministic way – and if I am not, its probably for a good reason.
C is not perfect(as of C11 threading solutions still suck), but all other languages are substantially and provably inferior.
You can pass messages and duck-type in C89. You can have as many first-class functions as you wish. You can bound-check, garbage-collect, auto-release, and optimize your tails.
On the other hand, you can’t do any of what C is good at in “first-class function” or “OOP” languages.
Frankly, I don’t think any language could do better than C, given that users of other languages consider security to equal buffer overflow prevention.
Most web site defacements involve password files stored in plain text and accessible from Google.
sakeniwefu,
“C is not perfect(as of C11 threading solutions still suck), but all other languages are substantially and provably inferior.”
I’m very interested in seeing how your going to go about proving it
“Frankly, I don’t think any language could do better than C, given that users of other languages consider security to equal buffer overflow prevention.”
Buffer overflows are such a serious problem with C code that we’ve had to invent hacks like ASLR just to try to limit the circumstances in which the buffer overflow bugs are exploitable.
“Most web site defacements involve password files stored in plain text and accessible from Google.”
Do you have examples of plain text password files accessible from google? If you had asked me, I would have said XSS and SQL injection. … If websites were programmed in C, buffer overflows would be right at the top
Edited 2013-05-24 15:39 UTC
But they were at the early days of the Web!
Do you remember CGIs in C, application servers as apache modules, ISAPI and ATL Server?
Tracking down pointer issues on those days with the customers shouting to technical support wasn’t fun.
moondevil,
Haha, yes you are right…but can you imagine doing it today outside of very niche applications?
No, just as web/REST interfaces to embedded systems.
I believe the configuration UIs of many routers do use C-based www toolkits (read that once on a Wiki page of one of them, IIRC); I’d argue it’s not very niche ;P
zima,
“I believe the configuration UIs of many routers do use C-based www toolkits (read that once on a Wiki page of one of them, IIRC); I’d argue it’s not very niche ;P”
I guess your using ‘niche’ differently than me, not in terms of market share, but in terms of the numbers of developers programming it. The number of programmers using C to write router pages has got to be tiny, even though they’re code will probably sell hundreds of millions of times over.
In which ANSI/ISO paragraphs are those features defined?
Okay, here’s where I ask another question.
Most C++ courses that are easily available online or in print here tend to treat C++ as a “better C”, basically a variant of C with extra features added to accomodate for newer programming practices.
However, people debating here about language merits seem to imply that to the contrary, C++11, together with the STL and/or Boost, is capable of a lot more than just being C with templates and classes.
So can someone of that latter opinion point me towards pedagogical resources that actually try to teach C++ with the latter line of thought, just to see how much of a difference in language usage patterns that can make?
Here are some resources,
http://herbsutter.com/
http://www.isocpp.org/
http://channel9.msdn.com/Tags/cppbeyond+2012
http://channel9.msdn.com/Tags/c++11
http://channel9.msdn.com/Series/C9-Lectures-Stephan-T-Lavavej-Core-…
http://channel9.msdn.com/Series/C9-Lectures-Stephan-T-Lavavej-Stand…
http://channel9.msdn.com/Series/C9-Lectures-Stephan-T-Lavavej-Advan…
Thanks!
Well, now the most important addition is lambda functions, which far removes C++11 from anything C is capable of. Also a natural for/each syntax. And initializing things from lists, which also work with for/each, so you don’t have to shove them into a container first.
Strangely enough, I find that Python is a good way to learn what’s possible with C++11 + STL/Boost. Python is a lot cleaner, but the translation of the concepts for Python lists/sets/maps/iterators is straightforward in most cases. With the new auto type specifier, C++11 is actually almost as clean as Python now, actually.
No more “typename std::list<T>::iterator i = alist.begin()”, just “auto i = alist.begin()”.
for( auto name : { “Alice”, “Bob”, “Carol”, “David”, “Enid”,
“Fr an”, “Gunther”, “Harold”, “Iris”, “Jen” } )
{
std::async( std::launch::async, [name]()
{
std::vector<int> numbers { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
std::random_shuffle( std::begin(numbers), std::end(numbers) );
for( auto number : numbers )
{
std::cout << name << ” says: ” << number << std::endl;
}
});
}
If anyone interested in safe systems programming hasn’t heard of ATS, I’d suggest having a look: http://www.ats-lang.org/
+1, since I cannot vote.
It warms my ML heart.
Thank you and moondevil for pointing me in the Ada direction. I overlooked its ability of interfacing well with other languages, which together with its other strengths would definitely make it worth trying out to me.
(Making my “to-learn” list now contain three groups of languages : Ada 2012 or Squeak, Haskell or Scheme, and Fortran)
@moondevil : I disagree regarding the importance of the system having a C ABI.
It is true that if every computer was running, say, Microsoft Singularity, C# would take the place of C today as a lingua franca among library developers, and that it could even be a good thing. But at this point in time, most computers seem to be running either a variant of Windows and Unix, which are both C/++ based.
Consequently, whenever a programming language has to interface with the rest of the programming world, it will tend to do so using a mechanism that greatly favors C libraries over others (think JNI, P/Invoke, Cgo). Moreover, as of today, most popular libraries are also implemented in C or C++, and are consequently designed for the C or the C++ ABI, with wrappers for other languages coping with that fact with variable success.
This, and not some alleged intrinsic superiority of C over other languages, would lead me to believe that being able to interface with C is indirectly important for a general-purpose programming language today.
Now, if some bright minds produced a superior language-agnostic library interface, and if that started to got very wide acceptance even across OS boundaries, I would certainly be interested in using that instead of helping keeping the C monopoly alive.
Edited 2013-05-24 18:07 UTC
Good luck using a C ABI with WinRT or Symbian.
Symbian is as good as dead now, and whether WinRT will reach wide acceptance in the future remains to be seen considering the lukewarm reception of Windows 8.
Again, I was talking about the world we live in today, and which we are going to stay in for, say, 5 years from now at least.
Edited 2013-05-24 18:21 UTC
Then good luck with a C ABI in z/OS, with uses a kernel level JIT where all userspace applications are bytecode, which is JITted at installation time.
moondevil,
“Then good luck with a C ABI in z/OS, with uses a kernel level JIT where all userspace applications are bytecode, which is JITted at installation time.”
I’m afraid that I have no familiarity with anything to do with z/OS outside of CICS/JCL. They’re quirky, but impressive at handling huge transaction batches compared the the inefficient code bloated frameworks we find elsewhere.
I’ve actually done C development on z/OS (I learned that strdup wasn’t actually part of the C standard). It was a userspace app designed to manipulate CICS BMS map files. It was for a client of a client, whom I was contractually prohibited from working directly. Never the less their z/OS middleware development was done in C. I didn’t think anything of it, but now that it comes up I’m curious what most mainframe shops are using these days, cobal?
I know nothing of z/OS system development, does anyone do that outside of IBM? What language do they use under the hood?
Oops, I made a typo, I meant i5/OS, the OS for AS/400 systems formerly known as OS/400.
I always mix it with z/OS.
http://en.wikipedia.org/wiki/IBM_System_i
I was doing backups for a small AS/400 system back in 1994.
The OS was written in a mixture of PL/MI, Modula-2, C and C++.
Digging my bookmarks,
http://groups.google.com/group/comp.sys.ibm.as400.misc/browse_threa…
http://archive.midrange.com/mi400/200207/msg00001.html
The OS ABI is a bytecode based. At installation time the code is JITted to a native image and it can get re-generated if the environment somehow changes.
http://www.mi.fu-berlin.de/wiki/pub/Tec/ArtLehreSystemverwaltung200…
http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/apiref/MIpgm…
Starting at page 11
http://www.redbooks.ibm.com/redpieces/pdfs/ga195486.pdf
moondevil,
“Good luck using a C ABI with WinRT or Symbian.”
I might be wrong, but isn’t WinRT still implemented on top of win32s? Even if it were conceivably moved to something else, it would be really a surprise if it weren’t written in C. That’s the thing, everyone wants to have better abstractions, but they’re still building the system code in C because all the existing system code is already in C.
WinRT uses an updated version of COM implemented with C++ templates also known as Windows Runtime C++ Template Library (WRL).
To simplify its usage, you have C++ extensions known as C++/CX. Basically Microsoft is finally doing what Borland did years ago with C++ Builder.
Since deep down it is still COM, you can try to use the old COM APIs from C like in the old days, but it will be an effort similar to using pure Assembly, due to the amount of code required.
Additionally you would need to implement yourself the code to read WinRT metadata, which is part of WinRT ABI.
Finally C is deprecated in Microsoft tooling.
Officially the C compiler will not be updated, staying at C90 standard level, meanwhile the dev teams are making their C code compile as C++ code as mentioned in one of the talks at BUILD 2012.
ISO C++ with WRL is like programming in hieroglyphics.
C with the WinRT ABI is fucking INSANE. Like its a masochists wet dream.
Here’s an example taken from StackOverflow:
C++/CX
Note: The “hat” TextBlock^ is a special smart pointer which handles IInspectable semantics for aggregation based inheritance. Another COM wart.
C++ with WRL
Vanilla C:
This is not something that a normal human being would ever want to do.
Neolander,
That’s it exactly. C has first comer advantages and is the defacto standard for all system programming. Overturning it today would require an enormous amount of energy. Even if all new C development were stopped, it still has enough momentum to continue for several more decades at least owing to it’s pervasiveness in existing code bases.
That’s the main problem modern languages are facing, they aren’t just competing against the older languages on merit, they’re competing against the existing code and skills that have already been invested in the older languages.
In Germany you will hardly find pure C related jobs outside the embedded industry (robotics, car equipment, general electronics stuff).
Most of these don’t look like they matter on typical desktop setups.
OTOH, I would think lots of bugs of this type bespeaks bad coding practice. I wonder if more serious vulnerabilities lurk in the bowels of Xorg. (Never mind the design flaws that allow keylogging, etc.)
That’s because X.org’s only strengths are irrelevant to most desktop setups.
the link in the article is no longer working
It has a double quote mark at the end, just delete that from the URL and it loads fine.
Fixed!