Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

Absolute Linux Is a Lightweight Distro Based on Slackware 14.10

Absolute, an x86 Linux distribution based upon Slackware that concentrates on making sure that Internet, multimedia, document, and general home use works out of the box, is now at version 14.10 and is available for download. Read more

Future Linux Mint Releases to Have Other Colors Besides Green

Everybody knows that Linux Mint has a green theme and most people are able to recognize it from a glance because no one else is using it. It's become a sort of a trademark for it (not in the legal sense), but it looks like they are not happy with it or at least they are trying to appeal to other people who might not enjoy that green color. Read more

Deepin 2014.1, One of the Most Beautiful Distros in the World, Has Been Released – Gallery

Deepin developers have been hard at work on their new operating system and it looks like they managed to get a lot of fans. This system is one of the most interesting ones that have surfaced in the last couple of years. One of the reasons for its success is the implementation of a new desktop environment that is somewhat different from what other operating systems provide. Read more

Fedora 21 Will Try To Release Before Thanksgiving

Today was another FESCo meeting but fortunately no further Fedora 21 delay was announced today, but it could happen with the F21 alpha change deadline being today and the developers trying to get an approved build. Read more