472,958 Members | 2,379 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,958 software developers and data experts.

Do checked iterators/containers make code more secure?

zr
Hi,

Does usage of checked iterators and checked containers make code more
secure?
If so, can that code considered to be reasonably secure?

Nov 20 '08 #1
3 2706
On 2008-11-20 09:08:58 -0500, zr <zv*****@gmail.comsaid:
>
Does usage of checked iterators and checked containers make code more
secure?
If so, can that code considered to be reasonably secure?
Define "secure" and "reasonably secure".

--
Pete
Roundhouse Consulting, Ltd. (www.versatilecoding.com) Author of "The
Standard C++ Library Extensions: a Tutorial and Reference
(www.petebecker.com/tr1book)

Nov 20 '08 #2
zr
On Nov 20, 4:11*pm, Pete Becker <p...@versatilecoding.comwrote:
On 2008-11-20 09:08:58 -0500, zr <zvir...@gmail.comsaid:
Does usage of checked iterators and checked containers make code more
secure?
If so, can that code considered to be reasonably secure?

Define "secure" and "reasonably secure".

--
* Pete
Roundhouse Consulting, Ltd. (www.versatilecoding.com) Author of "The
Standard C++ Library Extensions: a Tutorial and Reference
(www.petebecker.com/tr1book)
Obviously checked iterators make it easier to detect defects, but i am
asking about security. By "secure" i mean resistant to malicious usage
of the application and resistant to other hostile code. I will let the
security experts define the term more precisely.
By "reasonably secure" i mean the required security quality that
production software software should meet (yes, if it asks for your
credit card number, it should be more than just "reasonably secure").
On second thought, it might have been better if i started with a
question like "how can i learn to write secure C++ code?" - you are
welcome to answer it as well.
Nov 21 '08 #3
zr <zv*****@gmail.comkirjutas:
On Nov 20, 4:11*pm, Pete Becker <p...@versatilecoding.comwrote:
>On 2008-11-20 09:08:58 -0500, zr <zvir...@gmail.comsaid:
Does usage of checked iterators and checked containers make code
more secure?
If so, can that code considered to be reasonably secure?

Define "secure" and "reasonably secure".

--
* Pete
Roundhouse Consulting, Ltd. (www.versatilecoding.com) Author of "The
Standard C++ Library Extensions: a Tutorial and Reference
(www.petebecker.com/tr1book)

Obviously checked iterators make it easier to detect defects, but i am
asking about security. By "secure" i mean resistant to malicious usage
of the application and resistant to other hostile code. I will let the
security experts define the term more precisely.
By "reasonably secure" i mean the required security quality that
production software software should meet (yes, if it asks for your
credit card number, it should be more than just "reasonably secure").
On second thought, it might have been better if i started with a
question like "how can i learn to write secure C++ code?" - you are
welcome to answer it as well.
Probably not the best place, there seem to be many groups
comp.security*.

In Perl for example there is some built-in support meant for enhancing
security (taint mode). In C++, there is no such built-in support, so the
topic is not really language-specific. I'm no expert, but it generally
comes down to having no memory access errors, and not trusting input
from uncontrolled sources.

I think checked iterators a la MSVC++ may actually help here a bit,
detecting some of memory access errors. Another similar aid would be to
use garbage collector instead deletes, recently advocated here by James
Kanze, to avoid accidental access to a wrong object. Another useful aid
in the same fashion would be to splitter the code by assert()-s for
obvious and non-obvious things (and of course taking care to not compile
it away in the final release). However, these are not silver bullets, so
just compiling your whatever code with checked iterators support does
not magically make it "reasonably secure", whatever that might be.

Anyway, one has to start from the software requirements. If some server
software must have the best possible performance and allows the remote
user to execute arbitrary system() or dynamic library calls, then there
are no security benefits from checked iterators or asserts, only runtime
costs pulling down the performance. Naturally, such software should be
used only in a trusted network.

Paavo

Nov 21 '08 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Ney André de Mello Zunino | last post by:
Hello. A non-modifying algorithm I implemented uses two associative containers from STL: set and map. The elements on those containers are supposed to refer to actual elements which lie on...
2
by: Alexander Stippler | last post by:
Hi, I've got a question concerning iterators. I'm writing some container class and iterators upon it. I have to have typedef typex pointer; typedef typey reference; to be standard conforming....
4
by: Merlin | last post by:
Hi, I am a C++ developer and would like to implement container classes for various types of objects. I use MS Visual C++ to compile my code. Nevertheless I like to write code that is independent...
2
by: Patrick Kowalzick | last post by:
Dear NG, I have two containers (standard library) which are nested, e.g.: std::vector< std::vector <int> > A; std::list< std::vector<int> > B; These structures where put in another class...
3
by: codefixer | last post by:
Hello, I am trying to understand if ITERATORS are tied to CONTAINERS. I know the difference between 5 different or 6(Trivial, on SGI). But what I fail to understand is how can I declare all 5...
8
by: babak | last post by:
Hi everyone I have a problem with Iterators and containers in STL that hopefully someone can help me with. This is what I try to do: I have an associative (map) container and I have a...
4
by: kalita | last post by:
Hi All, typedef std::list<int> Cont; void f(Cont &c1, Cont &c2) { Cont::iterator it = c1.begin(); c1.swap(c2); it == c2.begin(); // is this ill formed? }
19
by: fungus | last post by:
I mentioned earlier to day that I was moving some code from VC++6 to VC++2005 and having trouble with the new iterators. There's all sorts of problems cropping up in the code thanks to this...
18
by: desktop | last post by:
1) I have this code: std::list<intmylist; mylist.push_back(1); mylist.push_back(2); mylist.push_back(3); mylist.push_back(4);
0
by: lllomh | last post by:
Define the method first this.state = { buttonBackgroundColor: 'green', isBlinking: false, // A new status is added to identify whether the button is blinking or not } autoStart=()=>{
0
by: Aliciasmith | last post by:
In an age dominated by smartphones, having a mobile app for your business is no longer an option; it's a necessity. Whether you're a startup or an established enterprise, finding the right mobile app...
0
tracyyun
by: tracyyun | last post by:
Hello everyone, I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
4
NeoPa
by: NeoPa | last post by:
Hello everyone. I find myself stuck trying to find the VBA way to get Access to create a PDF of the currently-selected (and open) object (Form or Report). I know it can be done by selecting :...
3
NeoPa
by: NeoPa | last post by:
Introduction For this article I'll be using a very simple database which has Form (clsForm) & Report (clsReport) classes that simply handle making the calling Form invisible until the Form, or all...
1
by: Teri B | last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course. 0ne-to-many. One course many roles. Then I created a report based on the Course form and...
3
by: nia12 | last post by:
Hi there, I am very new to Access so apologies if any of this is obvious/not clear. I am creating a data collection tool for health care employees to complete. It consists of a number of...
0
isladogs
by: isladogs | last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, Mike...
2
by: GKJR | last post by:
Does anyone have a recommendation to build a standalone application to replace an Access database? I have my bookkeeping software I developed in Access that I would like to make available to other...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.