473,902 Members | 3,778 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Is it time for secure C ?

Hello,

I just downloaded MS Visual Studio 2005 Express Beta. When I tried to
compile existing valid project, I get a lot of warnings like 'sprintf'
has been deprecated, 'strcpy' has been deprecated etc. I opened STDIO.H
and figured that one has to define a macro _CRT_SECURE_NO_ DEPRECATE
to stop these warnings.

I started to search internet and found few links, and the following proposal

http://www.open-std.org/jtc1/sc22/wg...docs/n1031.pdf

After looking into Whidbey Beta header files I started liking this. This is
something I have been using already for static and local buffers using
macro with strncpy() and vsnprintf(), only this is better.

Although this feature should be invoked by defining _USE_SECURE_LIB S
and not be used by default, that's easy to fix in CRTDEFS.H.

Anyway, I am just wondering if anybody knows about the status of this
proposal. And also would like to read some opinions.

Roman
Nov 14 '05
68 3757
> Cool. That's exactly how we handled code reviews at various places I've
worked. Writing applications for government accounting, utility (e.g.
electric, gas) mapping, building design, etc. The major difference is that
the developers didn't try "playing" much at all. We left that for the
support guy and the customers. Who needs code reviews when there are
customers, who are quite willing to tell you about any problems they find?
Besides, we were generally too busy, trying to work around fundamental
design flaws. And find the causes of those bugs the customers reported. We
had no time for code reviews.


;-)
Nov 14 '05 #31
kyle york <ky***@cisco.co m> writes:
[...]
Please give an example of how it would be impossible to implement
bounds checking. I've yet to come up with a scenario that is
insurmountable. As I said before there's nothing in the language that
prevents an implementation that includes bounds checking. If I'm
wrong, please point me to chapter & verse.


I think (but I'm not certain) that reliable bounds checking could be
provided by a C implementation, but there would be a significant cost.
The simplest way to do it would be to use "fat pointers".

For example, a char* might consist of three elements:

The base address of an object, created either by an object
definition or by a call to an allocation function like malloc();

The size of the object, in bytes; and

An offset, in bytes.

(For pointers to larger types, the size and offset could be measured
either in bytes or in larger units, whichever turns out to be more
efficient.)

Pointer arithmetic (including array indexing) would operate on the
offset, and would trap if the result is outside the known bounds of
the base object. Any operation on a pointer would check whether the
base address is non-null, and whether the offset is within the bounds
of the base object.

The drawbacks are that the resulting code would be slower, pointers
would take up more space, and many useful instances of undefined
behavior (in non-portable code) would cause traps.

--
Keith Thompson (The_Other_Keit h) ks***@mib.org <http://www.ghoti.net/~kst>
San Diego Supercomputer Center <*> <http://users.sdsc.edu/~kst>
We must do something. This is something. Therefore, we must do this.
Nov 14 '05 #32
In <1089303659.591 128@sj-nntpcache-5> kyle york <ky***@cisco.co m> writes:
Greetings,

Dan Pop wrote:
In <1089240287.803 358@sj-nntpcache-3> kyle york <ky***@cisco.co m> writes:

No, implementations of C make it very easy to address memory illegally.
I've not read anything in the standard the prohibits an implementation

from actually enforcing the rules.


What rules? You can convert any integer to a pointer value and the
language cannot tell whether the result is a valid pointer value or not.


So you're saying undefined behaviour is undefined. What's new? Nothing
prevents the compiler from emitting code that will trap/crash/burn in
this case.

This is assuming I understand 6.3.2.3 paragraphs 6 & 7. The way I read
this the implementation is allowed to say this results in an invalid
pointer. Simple enough.


Unless the address resulting from the conversion is the address of an
object. This adds a bit of complication to the issue.
I've given this a lot of thought of late & don't think it would be that
terribly difficult to add proper bounds checking to a good compiler.

Think harder. Review the answer I gave to Jacob Navia, on this topic,
in this very newsgroup, several months ago.


You and Jacob have had many threads in the past few months & I remember
many of them.

Please give an example of how it would be impossible to implement bounds
checking. I've yet to come up with a scenario that is insurmountable. As
I said before there's nothing in the language that prevents an
implementati on that includes bounds checking. If I'm wrong, please point
me to chapter & verse.


What part of "Review the answer I gave to Jacob Navia, on this topic,
in this very newsgroup, several months ago" was too difficult for you
to understand?

I'm not saying that it is impossible, I'm saying that you're way too
optimistic when you say that it's not terribly difficult. BTW, Jacob
gave up the idea after reading my answer ;-)

Dan
--
Dan Pop
DESY Zeuthen, RZ group
Email: Da*****@ifh.de
Nov 14 '05 #33

"Keith Thompson" <ks***@mib.or g> a écrit dans le message de
news:ln******** ****@nuthaus.mi b.org...
kyle york <ky***@cisco.co m> writes:
[...]
Please give an example of how it would be impossible to implement
bounds checking. I've yet to come up with a scenario that is
insurmountable. As I said before there's nothing in the language that
prevents an implementation that includes bounds checking. If I'm
wrong, please point me to chapter & verse.
I think (but I'm not certain) that reliable bounds checking could be
provided by a C implementation, but there would be a significant cost.
The simplest way to do it would be to use "fat pointers".


This is the solution I have used in my string library
For example, a char* might consist of three elements:

The base address of an object, created either by an object
definition or by a call to an allocation function like malloc();

The size of the object, in bytes; and

An offset, in bytes.

My "fat" pointers consist of a length, a pointer, and a pointer to the base
object.
Each time the pointer is moved, the implementation checks that it stays
within the bounds of the original string object.

This is done dynamically, i.e. at run time.
Pointer arithmetic (including array indexing) would operate on the
offset, and would trap if the result is outside the known bounds of
the base object. Any operation on a pointer would check whether the
base address is non-null, and whether the offset is within the bounds
of the base object.
This is what my string library does

The drawbacks are that the resulting code would be slower, pointers
would take up more space, and many useful instances of undefined
behavior (in non-portable code) would cause traps.


I jave never really measured since the first implementation of the
library is designed as a proof of concept not as the final version.

The one measurement I did was the cost of function calls. In a
1.5GHZ P4 it would take several millions of calls to slow down the
program just one second.

The speed penalty is quite small, and for most purposes negligeable.
Nov 14 '05 #34

On Thu, 8 Jul 2004, Keith Thompson wrote:

kyle york <ky***@cisco.co m> writes:
[...]
Please give an example of how it would be impossible to implement
bounds checking. I've yet to come up with a scenario that is
insurmountable. As I said before there's nothing in the language that
prevents an implementation that includes bounds checking. If I'm
wrong, please point me to chapter & verse.
I think (but I'm not certain) that reliable bounds checking could be
provided by a C implementation, but there would be a significant cost.
The simplest way to do it would be to use "fat pointers".


I seem to recall objections centering around the way pointer
representations interact with, say, arrays of unsigned char and
a few ill-advised memcpys. Consider

void *p;
unsigned char foo[sizeof p];
p = malloc(42);
*p = PERFECTLY_FINE;
memcpy(foo, &p, sizeof p);
free(p);
memcpy(&p, foo, sizeof p);
*p = SAME_BITS_INVOL VED, BUT_INCORRECT;

Now, this is the kind of thing that can be handled perfectly well
by a clever malloc package... but I think there *were* other examples
that really couldn't be handled correctly 100% of the time.

The drawbacks are that the resulting code would be slower, pointers
would take up more space, and many useful instances of undefined
behavior (in non-portable code) would cause traps.


If it causes a trap, it's not very useful, is it now? ;) That
last objection is just saying that non-portable code is not portable
to some implementations --- and that's true by definition! The
first two objections are true enough, though.

Of course, you *could* use the Hypothetical Nice Implementation to
test and debug your code, and then move to the Real-World Dangerous
Implementation for release. It would just be one step more advanced
than the widespread "Debug Version/Release Version" paradigm.

-Arthur
Nov 14 '05 #35
Greetings,

Keith Thompson wrote:
kyle york <ky***@cisco.co m> writes:
[...]
For example, a char* might consist of three elements:

The base address of an object, created either by an object
definition or by a call to an allocation function like malloc();

The size of the object, in bytes; and

An offset, in bytes.


I was thinking one more level of indirection -- a pointer has a
descriptor + offset. The descriptor has reference count, base, size, and
flags. The biggest problem at the moment is how to handle pointers
embedded in structures & unions, specifically if a structure is freed
while an embedded pointer is still valid.

Yes, this does lead to a code size & performance hit but I suspect it
would still be incredibly useful, especially for people learning C and
arguably even for most user applications considering the number of hacks
out there trying to prevent things like buffer overlow. If there's a 10%
performance hit but a guarentee of safety I'd buy it.

An added benefit would be garbage collection for free.

Anyway, my original point was simply that there's nothing *in the
language* that forbids safe pointers, it's just no one has bothered to
implement them.

--
Kyle A. York
Sr. Subordinate Grunt
Nov 14 '05 #36
kyle york <ky***@cisco.co m> wrote in message news:<108924028 7.803358@sj-nntpcache-3>...
Greetings,

Malcolm wrote:
"Richard Bos" <rl*@hoekstra-uitgeverij.nl> wrote in message
It isn't. Insecure programming is the rule anywhere rank amateurs or
poor professionals program in any language; it is not the rule where
real professionals or dedicated amateurs program, in C no more than in
Ada.


C makes it very easy to address memory illegally. This problem can be solved
by using another language, at the cost of some runtime inefficiency and loss
of simplicity.


No, implementations of C make it very easy to address memory illegally.
I've not read anything in the standard the prohibits an implementation
from actually enforcing the rules.

I've given this a lot of thought of late & don't think it would be that
terribly difficult to add proper bounds checking to a good compiler.


Depends. If you ask for static checking, quite easy[1], if runtime
difficult but yes possible. But then again it can be implemented in
std C only if there is a universal appeal for it. And IMO we aren't
getting there anytime sooner.

Actually many compilers _do_ indeed support runtime checking but that
is only at debug time, relase build don't have much of run time
checking.

But then again you already knew this.
[1] Will it be able to to detect?

int arr[10]

int x = 10;
for ( int i = 0; i <= x; ++i ) { arr[i] = 0xCAFE; }
--
Imanpreet Singh Arora
isingh AT acm DOT org
Nov 14 '05 #37
"Keith Thompson" <ks***@mib.or g> wrote in message
news:ln******** ****@nuthaus.mi b.org...
kyle york <ky***@cisco.co m> writes:
[...]
Please give an example of how it would be impossible to implement
bounds checking. I've yet to come up with a scenario that is
insurmountable. As I said before there's nothing in the language that
prevents an implementation that includes bounds checking. If I'm
wrong, please point me to chapter & verse.


I think (but I'm not certain) that reliable bounds checking could be
provided by a C implementation, but there would be a significant cost.
The simplest way to do it would be to use "fat pointers".

For example, a char* might consist of three elements:
.....


Actually, Microsoft's Secure C proposal is even simpler. It provides
augmented library functions for every case where a buffer size is
not explicitly spelled out in the existing calling sequence. That
permits code reviewers, the compiler, and the library code itself
to do considerably more checking -- without the need for widespread
use of fat pointers. Couple that with the inexpensive but effective
stack fences now generated by VC++ and you get quite a bit more
reliability for a remarkably small cost in performance and code
complexity.

P.J. Plauger
Dinkumware, Ltd.
http://www.dinkumware.com
Nov 14 '05 #38
"P.J. Plauger" <pj*@dinkumware .com> wrote in message
news:0i******** ***********@nwr ddc01.gnilink.n et...
"Keith Thompson" <ks***@mib.or g> wrote in message
news:ln******** ****@nuthaus.mi b.org...
kyle york <ky***@cisco.co m> writes:
[...]
Please give an example of how it would be impossible to implement
bounds checking. I've yet to come up with a scenario that is
insurmountable. As I said before there's nothing in the language that
prevents an implementation that includes bounds checking. If I'm
wrong, please point me to chapter & verse.


I think (but I'm not certain) that reliable bounds checking could be
provided by a C implementation, but there would be a significant cost.
The simplest way to do it would be to use "fat pointers".

For example, a char* might consist of three elements:
.....


Actually, Microsoft's Secure C proposal is even simpler. It provides
augmented library functions for every case where a buffer size is
not explicitly spelled out in the existing calling sequence. That
permits code reviewers, the compiler, and the library code itself
to do considerably more checking -- without the need for widespread
use of fat pointers. Couple that with the inexpensive but effective
stack fences now generated by VC++ and you get quite a bit more
reliability for a remarkably small cost in performance and code
complexity.


What is "stack fence" ? Would it be swapping variables described in

http://blogs.msdn.com/tims/archive/2.../30/57439.aspx

I noticed in VC++ that it sometimes moves the stack pointer by approx
1k down, when calling certain functions and also swaps order of arguments.
I was not able to follow this even when stepping through single
instructions,
the stack just changed all of the sudden when entering the function.

Roman
Nov 14 '05 #39
"Roman Ziak" <ro***@nospam.c om> wrote in message
news:ch******** *************@n ews20.bellgloba l.com...
Actually, Microsoft's Secure C proposal is even simpler. It provides
augmented library functions for every case where a buffer size is
not explicitly spelled out in the existing calling sequence. That
permits code reviewers, the compiler, and the library code itself
to do considerably more checking -- without the need for widespread
use of fat pointers. Couple that with the inexpensive but effective
stack fences now generated by VC++ and you get quite a bit more
reliability for a remarkably small cost in performance and code
complexity.


What is "stack fence" ? Would it be swapping variables described in

http://blogs.msdn.com/tims/archive/2.../30/57439.aspx

I noticed in VC++ that it sometimes moves the stack pointer by approx
1k down, when calling certain functions and also swaps order of arguments.
I was not able to follow this even when stepping through single
instructions,
the stack just changed all of the sudden when entering the function.


The article describes part of the machinery; there's a bit more.
Basically, the stack frames are organized so that it's much harder
for a buffer overrun to subvert a program and go unnoticed.

P.J. Plauger
Dinkumware, Ltd.
http://www.dinkumware.com
Nov 14 '05 #40

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
2674
by: Gerry Viator | last post by:
Hi all, I have a textbox were a time is typed in like: upto 4 numbers 1900 300 1000 1425 I would like as they type the text to show todays date plus the time they
6
4855
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and the other named Public. I placed my web.config file in my
7
3031
by: Seth | last post by:
I have noticed that the id of my session object changes when I switch from a non-secure to a secure connection. What I'm trying to do: I have a cookie that is built on the non-secure side of things. What I need to do is to switch to a secure connection and then later on while still in that secure connection delete the cookie that was created on the non- secure side. I need to do this because I can not reference the non-secure cookie...
7
3030
by: Shimon Sim | last post by:
I have a custom composite control I have following property
4
1630
by: Frank Walsh | last post by:
Hi, I'm experiencing a problem when my asp.net 1.1 application starts. It appears that when the application has not been used for 12 hours or so...I experience a much longer load time then if the application was loaded recently. I attempted to do some research on the subject and found a few sites that talk about pre-compiling, which i attempted to do, however it doesn't look like this helps if your application is unloaded do to...
5
2184
by: Joe | last post by:
I have an application which runs in a non-secure environment. I also have an application that runs in a secure environment (both on the same machine). Is there any way to share the session data for this? Most of the site allows the user to add things to a cart (non-secure), once they choose to check-out, I need this information which was stored in the session to be read by the payment page(secured). Hope this makes sense. It's probably...
7
4979
by: Robert Seacord | last post by:
The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. We have already developed significant content for the C programming language that is available at: https://www.securecoding.cert.org/ by clicking on the "CERT C Programming Language Secure Coding Standard"
0
2353
by: amitvps | last post by:
Secure Socket Layer is very important and useful for any web application but it brings some problems too with itself. Handling navigation between secure and non-secure pages is one of the cumbersome jobs. When a non-secure page references a secure page with relative URL, the web server generates error until absolute URL with https prefix is used. On the other hand when a secure page references a non-secure page, the non-secure page will be...
5
2843
by: GregO | last post by:
I am new to ASP and would like to know if anyone has a page that will display username, time, IP TIA - Grego
0
9997
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9845
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11279
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10870
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
10499
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
8047
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7205
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
6085
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4725
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.