473,883 Members | 3,128 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Is it time for secure C ?

Hello,

I just downloaded MS Visual Studio 2005 Express Beta. When I tried to
compile existing valid project, I get a lot of warnings like 'sprintf'
has been deprecated, 'strcpy' has been deprecated etc. I opened STDIO.H
and figured that one has to define a macro _CRT_SECURE_NO_ DEPRECATE
to stop these warnings.

I started to search internet and found few links, and the following proposal

http://www.open-std.org/jtc1/sc22/wg...docs/n1031.pdf

After looking into Whidbey Beta header files I started liking this. This is
something I have been using already for static and local buffers using
macro with strncpy() and vsnprintf(), only this is better.

Although this feature should be invoked by defining _USE_SECURE_LIB S
and not be used by default, that's easy to fix in CRTDEFS.H.

Anyway, I am just wondering if anybody knows about the status of this
proposal. And also would like to read some opinions.

Roman
Nov 14 '05
68 3756
In <ln************ @nuthaus.mib.or g> Keith Thompson <ks***@mib.or g> writes:
One point of a secure C standard would be to minimize instances of
*dangerous* undefined behavior, not necessarily to eliminate all
undefined behavior.


I'd use the word "gratuitous " instead of "dangerous" , as the C standard
doesn't distinguish between dangerous undefined behaviour and innocuous
undefined behaviour. Invoke undefined behaviour only when you *need* to
do so.

Dan
--
Dan Pop
DESY Zeuthen, RZ group
Email: Da*****@ifh.de
Nov 14 '05 #61
In <40************ *********@news. club-internet.fr> Guillaume <"grsNOSPAM at NOTTHATmail dot com"> writes:
Windows was designed no security concerns whatsoever. By the time they
wanted to add security, they realised that backward compatibility
requirements were limiting their options. Things got slowly better
but Windows is still lagging behind systems designed with security in
mind from the very beginning.


This is not true of the NT line. It was designed with security in mind,
right from the start.


It is true of the NT line, too, because security concerns have been
overridden by backward compatibility concerns. So, although the NT
kernel itself is quite secure and well designed, other layers of the OS,
running with enough privileges to cause all kinds of problems, crashes
included, aren't.

Dan
--
Dan Pop
DESY Zeuthen, RZ group
Email: Da*****@ifh.de
Nov 14 '05 #62
> It is true of the NT line, too, because security concerns have been
overridden by backward compatibility concerns. So, although the NT
kernel itself is quite secure and well designed, other layers of the OS,
running with enough privileges to cause all kinds of problems, crashes
included, aren't.


Care to give some precise examples?
Nov 14 '05 #63
Dan Pop wrote:
In <40************ *********@news. club-internet.fr> Guillaume <"grsNOSPAM at NOTTHATmail dot com"> writes:

Windows was designed no security concerns whatsoever. By the time they
wanted to add security, they realised that backward compatibility
requiremen ts were limiting their options. Things got slowly better
but Windows is still lagging behind systems designed with security in
mind from the very beginning.


This is not true of the NT line. It was designed with security in mind,
right from the start.

It is true of the NT line, too, because security concerns have been
overridden by backward compatibility concerns. So, although the NT
kernel itself is quite secure and well designed, other layers of the OS,
running with enough privileges to cause all kinds of problems, crashes
included, aren't.


How might one make a judgement on the NT kernel relative to its
design? What data is at hand as to its security? How might one
determine that it is well designed?

--
Joe Wright mailto:jo****** **@comcast.net
"Everything should be made as simple as possible, but not simpler."
--- Albert Einstein ---
Nov 14 '05 #64
Guillaume <"grsNOSPAM at NOTTHATmail dot com"> wrote:

One major difference is that Windows NT was not a real multi-user
OS like the Un*x have been for decades. And Windows 2003 still
compares pale in comparison with a Un*x-like in terms of multi-user
support and security.
I'm not so sure. Windows security features seem to be a superset of
common Unix ones. Or are you talking about the out-of-the-box
permission settings?
One very good example is Google. It has been tremendously effective.
We can even say that it's a rare example in the IT world. When's
the last time you wanted to use Google and it was unavailable, or
buggy?
Googlr Groups had a problem a few weeks ago, where no messages updated
for a few days (and a few times, new messages would appear and then
disappear again).
I haven't seen that. It has never happened. For the record,
Google uses over 100,000 servers all over the world, and they all
run under Linux flavors. Something that obviously cannot be ignored.


Google uses a thing where if one node goes down then everything else
works around it so the appearance to the end user is seamless. So you
can't infer from this that all its machines are bug-free and reliable etc.
Nov 14 '05 #65
Guillaume <"grsNOSPAM at NOTTHATmail dot com"> wrote:
It is true of the NT line, too, because security concerns have been
overridden by backward compatibility concerns. So, although the NT
kernel itself is quite secure and well designed, other layers of the OS,
running with enough privileges to cause all kinds of problems, crashes
included, aren't.


Care to give some precise examples?


Yes. Microsoft Word has repeatedly crashed Microsoft Windows XP when I
was watching. No other programs running. Both, you'll notice, Microsoft
products. Not hearsay; not rumour; my own experience.
This should _not_ be possible. That some application crashes is bad
enough; that Microsoft's own application was able to take their entire
OS with it is inacceptable.
Oh, and: Sasser. Yet _another_ buffer overflow bug, in the very latest
version of Windows, which was not even present in earlier versions like
'98. They _never_ learn.

Richard
Nov 14 '05 #66
In <40************ *********@news. club-internet.fr> Guillaume <"grsNOSPAM at NOTTHATmail dot com"> writes:
It is true of the NT line, too, because security concerns have been
overridden by backward compatibility concerns. So, although the NT
kernel itself is quite secure and well designed, other layers of the OS,
running with enough privileges to cause all kinds of problems, crashes
included, aren't.


Care to give some precise examples?


Those who did a code review of the NT implementation found practically
no problems in the kernel, but plenty of problems at the Win32
implementation level. Sorry, it's been a long time since I've read
about it and I can't be any more specific.

Dan
--
Dan Pop
DESY Zeuthen, RZ group
Email: Da*****@ifh.de
Nov 14 '05 #67
On Wed, 14 Jul 2004 06:32:16 GMT, in comp.lang.c ,
rl*@hoekstra-uitgeverij.nl (Richard Bos) wrote:
Guillaume <"grsNOSPAM at NOTTHATmail dot com"> wrote:
> It is true of the NT line, too, because security concerns have been
> overridden by backward compatibility concerns. So, although the NT
> kernel itself is quite secure and well designed, other layers of the OS,
> running with enough privileges to cause all kinds of problems, crashes
> included, aren't.


Care to give some precise examples?


Yes. Microsoft Word has repeatedly crashed Microsoft Windows XP when I
was watching. No other programs running. Both, you'll notice, Microsoft
products. Not hearsay; not rumour; my own experience.


Can you guys take this anti-MS discussion out of CLC. And you might like to
take with you the comment that I've managed to panic the linux and Solaris
kernels before now with badly written 3rd party software, so this is not a
"feature" of NT.

If you want a *really* secure os, you know where to find VMS....
--
Mark McIntyre
CLC FAQ <http://www.eskimo.com/~scs/C-faq/top.html>
CLC readme: <http://www.angelfire.c om/ms3/bchambless0/welcome_to_clc. html>
----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---
Nov 14 '05 #68
On Wed, 14 Jul 2004, Mark McIntyre wrote:

MM>On Wed, 14 Jul 2004 06:32:16 GMT, in comp.lang.c ,
MM>rl*@hoekstra-uitgeverij.nl (Richard Bos) wrote:
MM>
MM>>Guillaume <"grsNOSPAM at NOTTHATmail dot com"> wrote:
MM>>
MM>>> > It is true of the NT line, too, because security concerns have been
MM>>> > overridden by backward compatibility concerns. So, although the NT
MM>>> > kernel itself is quite secure and well designed, other layers of the OS,
MM>>> > running with enough privileges to cause all kinds of problems, crashes
MM>>> > included, aren't.
MM>>>
MM>>> Care to give some precise examples?
MM>>
MM>>Yes. Microsoft Word has repeatedly crashed Microsoft Windows XP when I
MM>>was watching. No other programs running. Both, you'll notice, Microsoft
MM>>products. Not hearsay; not rumour; my own experience.
MM>
MM>Can you guys take this anti-MS discussion out of CLC. And you might like to
MM>take with you the comment that I've managed to panic the linux and Solaris
MM>kernels before now with badly written 3rd party software, so this is not a
MM>"feature" of NT.
MM>
MM>If you want a *really* secure os, you know where to find VMS....

But: WNT == VMS++ so NT should be even securer :-)

harti
Nov 14 '05 #69

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
2674
by: Gerry Viator | last post by:
Hi all, I have a textbox were a time is typed in like: upto 4 numbers 1900 300 1000 1425 I would like as they type the text to show todays date plus the time they
6
4851
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and the other named Public. I placed my web.config file in my
7
3030
by: Seth | last post by:
I have noticed that the id of my session object changes when I switch from a non-secure to a secure connection. What I'm trying to do: I have a cookie that is built on the non-secure side of things. What I need to do is to switch to a secure connection and then later on while still in that secure connection delete the cookie that was created on the non- secure side. I need to do this because I can not reference the non-secure cookie...
7
3028
by: Shimon Sim | last post by:
I have a custom composite control I have following property
4
1629
by: Frank Walsh | last post by:
Hi, I'm experiencing a problem when my asp.net 1.1 application starts. It appears that when the application has not been used for 12 hours or so...I experience a much longer load time then if the application was loaded recently. I attempted to do some research on the subject and found a few sites that talk about pre-compiling, which i attempted to do, however it doesn't look like this helps if your application is unloaded do to...
5
2183
by: Joe | last post by:
I have an application which runs in a non-secure environment. I also have an application that runs in a secure environment (both on the same machine). Is there any way to share the session data for this? Most of the site allows the user to add things to a cart (non-secure), once they choose to check-out, I need this information which was stored in the session to be read by the payment page(secured). Hope this makes sense. It's probably...
7
4977
by: Robert Seacord | last post by:
The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. We have already developed significant content for the C programming language that is available at: https://www.securecoding.cert.org/ by clicking on the "CERT C Programming Language Secure Coding Standard"
0
2351
by: amitvps | last post by:
Secure Socket Layer is very important and useful for any web application but it brings some problems too with itself. Handling navigation between secure and non-secure pages is one of the cumbersome jobs. When a non-secure page references a secure page with relative URL, the web server generates error until absolute URL with https prefix is used. On the other hand when a secure page references a non-secure page, the non-secure page will be...
5
2843
by: GregO | last post by:
I am new to ASP and would like to know if anyone has a page that will display username, time, IP TIA - Grego
0
9944
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9797
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10762
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
10422
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
7977
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7136
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
1
4622
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4228
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3241
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.