s (race conditions), and the absence of rate
limitation on expensive operations can create DoS vulnerabilities. All
these were found the old fashioned way, with a code audit.
Pascal Meunier
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
On Thu, 20 Aug 2009 11:07:12 -0400
"McGovern, James F (HTSC, IT)" wrote:
> Here is where my enterpriseyness will show. I believe the answer to the
> question of where secure coding belongs in the curiculum is somewhat
> flawed and requires addressing the curiculum holistically.
>
> If you go to
enneth Van Wyk wrote:
> Here's one for the daily UGH!
>
> Great points raised by Pascal Meunier (see below) about poorly
> implemented language support for Prepared Statement SQL calls. In
> particular, Python's pyPGSQL actually takes its prepared statement and
> translate
of vulnerabilities). I agree that doing validation at multiple layers can be
beneficial, and that it is required when trust boundaries are crossed, but the
importance of the find seems a little exaggerat
ed.
Regards,
Pascal Meunier
Kenneth Van Wyk wrote:
> Greetings SC-Lers,
>
> Things ha
On 8/31/06 8:05 PM, "mikeiscool" <[EMAIL PROTECTED]> wrote:
> On 9/1/06, Pascal Meunier <[EMAIL PROTECTED]> wrote:
>>
>>
>>
>> On 8/30/06 3:46 PM, "Tim Hollebeek" <[EMAIL PROTECTED]> wrote:
>>
>>>
>>&g
fore audit) as well as handle problems at an appropriate layer in
the code.
I'm not saying that exceptions are always the best way to handle things, but
they can be part of good programming practices.
Pascal Meunier
>
> Tim Hollebeek
> Research Scientist
> Teknowledge, Corp.
>
&
I take exception (haha!) at having them dismissed like this. It sounds like
you encountered some badly written exception handling code. Error handling
can also be really bad, where at every call layer the original error gets
filtered or translated to a point where you just know something went wro
ct, yet all unsafe conditions and errors would
be highlighted and caught. It's not revolutionary, but it's better than
what we have now. Would it be good enough? I can picture people deleting
those assert statements that just make their programs crash ;)
Pascal Meunier
On 8/30/06 2:
Nice. I'll mention it in my secure programming class this semester. I'd be
interested in any exercises/labs based on it, appropriate for undergrads.
Cheers,
Pascal
On 8/17/06 10:04 AM, "Robert C. Seacord" <[EMAIL PROTECTED]> wrote:
>
> The CERT/CC has released a beta version of a secure inte
On 7/20/06 3:11 PM, "Florian Weimer" <[EMAIL PROTECTED]> wrote:
> * Pascal Meunier:
>
>> Also, writing it twice with different languages, especially at different
>> levels of abstraction, makes it less likely that the same bugs will appear
>> in both.
&
On 7/20/06 3:46 PM, "Florian Weimer" <[EMAIL PROTECTED]> wrote:
> * Pascal Meunier:
>
>> But it's true for stupid bugs like buffer overflows and format string
>> vulnerabilities, in which we're still swimming, and the proof is the fact
>
ing for more of it and better ways
to do it. Now if you order a cat and needed a dog, nobody can help you.
Pascal
>
> -Original Message-
> From: Pascal Meunier [mailto:[EMAIL PROTECTED]
> Sent: Thu Jul 20 13:54:42 2006
> To: Florian Weimer; der Mouse
> Cc: SC-L@sec
On 7/20/06 11:58 AM, "Florian Weimer" <[EMAIL PROTECTED]> wrote:
> * der Mouse:
>
Absolute security is a myth. As is designing absolutely secure
software.
>>
>>> I have high hopes in formal methods.
>>
>> All formal methods do is push bugs around. Basically, you end up
>> writing
On 7/18/06 11:45 AM, "Dana Epp" <[EMAIL PROTECTED]> wrote:
> Or perhaps less arrogance in believing "it won't sink".
>
> Absolute security is a myth. As is designing absolutely secure software.
I have high hopes in formal methods.
> It is a lofty goal, but one of an absolute that just isn't
ight man).
-It conveys the notion that insecure software is shoddy;
-It conveys the notion that there are people who will find out that you run
insecure software;
-It may motivate some people to care about security by invoking social
stigma ;)
Cheers,
Pascal Meunier
Purdue University CERIAS
ge but it was
empty. I would appreciate receiving more information about it. I am also
interested in the "Linux Security Modules Interface".
Regards,
Pascal Meunier
On 4/2/06 6:49 PM, "Crispin Cowan" <[EMAIL PROTECTED]> wrote:
> This is exactly what AppArmor <h
On 1/30/06 1:09 PM, "Kenneth R. van Wyk" <[EMAIL PROTECTED]> wrote:
> Any AJAX experts here want to comment on the eWeek article cited below?
>
> http://www.eweek.com/article2/0,1895,1916673,00.asp
>
> It claims, among other things that, "AJAX dramatically increases the amount of
> XML network t
On 1/27/06 12:06 PM, "Crispin Cowan" <[EMAIL PROTECTED]> wrote:
>
> However, Mac OS X (and Linux and *BSD) still hold the major advantage
> over Windows that it is uncommon to run the mail client as
> root/administrator, so the infection rate will remain much lower than on
> Windows. Only when
On 1/27/06 11:20 AM, "Kenneth R. van Wyk" <[EMAIL PROTECTED]> wrote:
> Interesting article, I suppose, but I'm not convinced of its conclusion:
>
> http://www.eweek.com/article2/0,1895,1915923,00.asp
>
> The article claims that Apple's use of Intel chips will result in more
> software exploits b
There's a third one that nobody has caught, because you don't know if pszSrc
is null-terminated, so your program can crash due to a protected memory
error.
The copy operation should be:
strncpy(szDest,pszSrc, min(MAX, pszSrc_size)-1);
assuming the size of pszSrc is pszSrc_size.
Few people seem t
ts on this? Any references to relevant theories of failures and
errors, or to explorations of this or similar ideas, would be welcome. Of
course, Albert Einstein's quote on the difference between genius and
stupidity comes to mind :).
Thanks,
Pascal Meunier
-21/0
http://cert.uni-stuttgart.de/archive/bugtraq/2001/04/msg00223.html
Cheers,
Pascal Meunier, Ph.D., M.Sc., CISSP
Purdue University CERIAS
On May 5, 2004, at 3:58 PM, Steven M. Christey wrote:
>
> Mads Rasmussen <[EMAIL PROTECTED]> said:
>
>> I for one have difficulties u
of the joke, "Doctor, it hurts when I do this"). You could say that
in a way, however, this only adds a level of indirection; what about
the people developing the processes? However, the PSP and TSP seem to
be working well enough. I wish I knew more about them, and that they
we
oke, "Doctor, it hurts when I do this"). You could say that
in a way, however, this only adds a level of indirection; what about
the people developing the processes? However, the PSP and TSP seem to
be working well enough. I wish I knew more about them, and that they
were not proprietary.
Cheers,
Pascal Meunier
It's ironic that the registration to see a security book sample is
"required" by an asinine javascript. Turn off javascript and the
mechanism is defeated. Oops, does turning off javascript violate the
DMCA? :-)
Cheers,
Pascal Meunier
Purdue University CERIAS
On Mar 4, 2
25 matches
Mail list logo