Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

Linux 4.7 RC5

  • Linux 4.7-rc5 Kernel Released
    The fifth weekly test release to the Linux 4.7 kernel is now available for testing. As of writing this article, Linus Torvalds has yet to send out an official 4.7-rc5 announcement but it's available for those interested in the latest installment of the kernel that's codenamed the Psychotic Stoned Sheep.
  • Linus Torvalds Announces Linux Kernel 4.7 RC5, Things Are Calming Down
    Another Sunday, another Release Candidate build of the upcoming Linux 4.7 kernel is out for testing, as announced by Linus Torvalds himself a few hours ago, June 26, 2016.
  • Linux 4.7-rc5
    Another week, another -rc. Hmm. I think things are calming down, although with almost two thirds of the commits coming in since Friday morning, it doesn't feel that way - my Fridays end up feeling very busy. But looking at the numbers, we're pretty much where we normally are at this time of the rc series. The stats looks fairly normal: about half the patch is drivers, roughly a quarter is architecture updates, and the remainder is "misc": filesystems, scheduler, mm, etc. The bulk of the drivers is GPU updates, but there's a smattering of rdma, hwmon, Xen, gpio, sound. The architecture side is powerpc, x86, some arm64, and some noise all over from some MM cleanups.. Go out and test. By -rc5, we really should be starting to be getting fairly ready. And please, if Thorsten Leemhuis is tracking one of your regressions, can you make sure to double-check it and see if it remains? It's lovely to have a regression tracker again, but it would also be really good to make sure that the ones that are solved get closed. Linus

Android Leftovers

The Internet Without Connection, Free Endless OS For Emerging Markets

There are four billion people on the planet without PCs or access to affordable personal computers. That figure should surely be tempered with some contextualization i.e. not everybody actually wants to have an Internet connection and many traditional, native or bucolic ways of live do still exist on the planet. Regardless, there are a batch of global initiatives in existence which seek to give computer access to every man, woman and especially child. Endless OS is one such project. The free operating system has been designed explicitly to work in the expensive or restrictive Internet data conditions that often exist in emerging markets where fabulously affordable broadband has yet to arrive. The software itself is built to provide useful information and educational content, with or without an Internet connection. Read more