From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,8a4455177648cb9e X-Google-Attributes: gid103376,public From: Markus Kuhn Subject: Re: Idea: Array Boundary Checks on Write Access Only Date: 1998/06/17 Message-ID: <35880D14.AC0243A@cl.cam.ac.uk>#1/1 X-Deja-AN: 363599786 Content-Transfer-Encoding: 7bit References: <35851B64.5BF271C4@cl.cam.ac.uk> Content-Type: text/plain; charset=us-ascii Organization: Cambridge University, Computer Laboratory Mime-Version: 1.0 Newsgroups: comp.lang.ada Date: 1998-06-17T00:00:00+00:00 List-Id: Stephen Leake wrote: > I don't see why a "read bug" is ever ok! An array read bug has only local consequences, a wrong return result (unless the result is an erroneous pointer). An array or pointer write bug can cause erroneous behaviour in other completely indepentent classes even if the implementation of these is carefully scrutinized to be bug free and very carefully shielded against wrong parameters. There are no bug free systems but in many types of systems, some modules (e.g., an encryption module that must not leak secret keys) must be especially carefully reviewed, while the huge majority of the system is much less critical. This some-modules-only review makes only sense if there is a guarantee that no other less pedantically reviewed code (user interface, etc.) can accidentially or maliciously be caused to overwrite the internal data structures of the critical module. Therefore, array boundary checks for write access are much more important than array boundary checks for read access, and I think it is a cute idea to be able to switch off read checks and leave in write checks for production versions. Read checks should however stay in effect for pointer arrays, when to the target of the read pointer a later write access might happen. A wrong array read just causes some variable value to be wrong, there are thousands of other bugs that have the same effect. A wrong array or pointer write causes errors at other places and that is an effect other types of bugs will not have. So I think write-only checks are a useful tradeoff in many situations. The read checks are very expensive, not only because of the inserted check instructions, but also because the many different paths of execution that can result make optimization difficult. Markus -- Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK email: mkuhn at acm.org, home page: