FY Ammo: Study about Security Bugs

FY Ammo: Study about Security Bugs

[Lutz Donnerhacke]

http://news.cnet.com/news/0-1003-200-1462855.html?tag=st.ne.1002.bgif.1003-200-1

Quick: What's the computer vulnerability of the decade?

It's not the Y2K bug, according to computer science and security analysts,
but a security weakness known as the buffer overflow. Unlike the Y2K bug,
which threatens to cripple computers unable to distinguish years written in
two-digit shorthand, this vulnerability opens computers to attacks by
malicious hackers, who can use the bug to commandeer the targeted computer.

...

Re: FY Ammo: Study about Security Bugs

[Preben Randhol]

lutz@iks-jena.de (Lutz Donnerhacke) writes:

| http://news.cnet.com/news/0-1003-200-1462855.html?tag=st.ne.1002.bgif.1003-200-1
| 
| Quick: What's the computer vulnerability of the decade?
| 
| It's not the Y2K bug, according to computer science and security analysts,
| but a security weakness known as the buffer overflow. Unlike the Y2K bug,
| which threatens to cripple computers unable to distinguish years written in
| two-digit shorthand, this vulnerability opens computers to attacks by
| malicious hackers, who can use the bug to commandeer the targeted computer.

Nitpick: Is Y2K really a security (to computer systems) bug/risk?

Pardon my ignorance, but are programs written in Ada 95 vulnerable to
buffer overflow ? I know C and C++ programs can be, if not coded
properly, but I would think Ada 95 programs wasn't (unless one are
perhaps interfacing towards C?). If somebody could shed some light on
this, it would be great.

-- 
Preben Randhol                     "Marriage is when you get to keep
[randhol@pvv.org]                   your girl and don't have to give
[http://www.pvv.org/~randhol/]      her back to her parents." (Eric, 6)

Re: FY Ammo: Study about Security Bugs

[Robert Dewar]

In article <m366yqk69o.fsf@kiuk0156.chembio.ntnu.no>,
  Preben Randhol <randhol@pvv.org> wrote:
> I know C and C++ programs can be, if not coded
> properly, but I would think Ada 95 programs wasn't (unless one
> are
> perhaps interfacing towards C?). If somebody could shed some
> light on
> this, it would be great.


That's right, Ada 95 programs are FAR less susecptible to the
buffer overflow problem (not impregnable, bad coding can achieve
any desired goal, and for example, an Ada program interfacing
directly to memcpy is at risk).

There are two reasons for this

1. If checks are on, out of range subscripts will be caught
by exceptions.

2. Even if checks are off, the kind of low level programming
approaches used in C (memcpy for example) are typically not used
in Ada, so it is far less likely that Ada code would be
susceptible to such attacks.


Sent via Deja.com http://www.deja.com/
Before you buy.

Re: FY Ammo: Study about Security Bugs

[Lutz Donnerhacke]

* Robert Dewar wrote:
>1. If checks are on, out of range subscripts will be caught
>by exceptions.

And if they are not caught, ... we have a Buffer/Range-Overflow in Ada.

Re: FY Ammo: Study about Security Bugs

[Robert Dewar]

In article <slrn83sifj.im.lutz@taranis.iks-jena.de>,
  lutz@iks-jena.de (Lutz Donnerhacke) wrote:
> * Robert Dewar wrote:
> >1. If checks are on, out of range subscripts will be caught
> >by exceptions.
>
> And if they are not caught, ... we have a
Buffer/Range-Overflow in Ada.


No, read my message more carefully. The buffer overflows in
C come from a certain style of low level programming that is
foreign to Ada, and in practice this kind of error is FAR less
likely to occur in Ada programs.

The style of free use of pointers, pointer arithmetic, and
obviously dangerous unchecked routines like memcpy leads to
a situation in C where the path of least resistance is to
write code susceptible to the kind of buffer overruns that
are discussed here. A typical Ada program will be programmed
at a different level where it is far less likely that the
programmer will make a similar mistake


Sent via Deja.com http://www.deja.com/
Before you buy.

Re: FY Ammo: Study about Security Bugs

[Preben Randhol]

Robert Dewar <robert_dewar@my-deja.com> writes:

[...]
| There are two reasons for this
| 
| 1. If checks are on, out of range subscripts will be caught
| by exceptions.

Which pragmas do one have to set to turn the checks on (if not by
default). Looked at the Annex L in RM, but it didn't make it clearer.
 
| 2. Even if checks are off, the kind of low level programming
| approaches used in C (memcpy for example) are typically not used
| in Ada, so it is far less likely that Ada code would be
| susceptible to such attacks.

I see. Thanks!
-- 
Preben Randhol                     "Marriage is when you get to keep
[randhol@pvv.org]                   your girl and don't have to give
[http://www.pvv.org/~randhol/]      her back to her parents." (Eric, 6)

Re: FY Ammo: Study about Security Bugs

[Gisle S�lensminde]

In article <m3yabltvy5.fsf@kiuk0156.chembio.ntnu.no>, Preben Randhol wrote:
>Robert Dewar <robert_dewar@my-deja.com> writes:
>
>[...]
>| There are two reasons for this
>| 
>| 1. If checks are on, out of range subscripts will be caught
>| by exceptions.
>
>Which pragmas do one have to set to turn the checks on (if not by
>default). Looked at the Annex L in RM, but it didn't make it clearer.

They are on by default, and pragma supress is only supposed to 
be used in special cases. If I got it right, compiler swiches to
turn off checks is pedanticly speaking to omit some parts of 
the standard (the checks), AFAIK. A "pragma unsupress" would be 
like  saying 'I know you not follows the rules, but can you just
turn them on in this area at least'.


>| 2. Even if checks are off, the kind of low level programming
>| approaches used in C (memcpy for example) are typically not used
>| in Ada, so it is far less likely that Ada code would be
>| susceptible to such attacks.

Hopefully programmers of programs expected to be secure, don't
turns the checks off before shipping the software. 

--
Gisle S�lensminde ( gisle@ii.uib.no )   

Re: FY Ammo: Study about Security Bugs

[Preben Randhol]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 657 bytes --]

gisle@kondor.ii.uib.no (Gisle S�lensminde) writes:

| They are on by default, and pragma supress is only supposed to 
| be used in special cases. If I got it right, compiler swiches to
| turn off checks is pedanticly speaking to omit some parts of 
| the standard (the checks), AFAIK. A "pragma unsupress" would be 
| like  saying 'I know you not follows the rules, but can you just
| turn them on in this area at least'.

I see. Thanks.
-- 
Preben Randhol                     "Marriage is when you get to keep
[randhol@pvv.org]                   your girl and don't have to give
[http://www.pvv.org/~randhol/]      her back to her parents." (Eric, 6)

Re: FY Ammo: Study about Security Bugs

[Robert Dewar]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 716 bytes --]

In article <slrn83ss7u.rae.gisle@kondor.ii.uib.no>,
  gisle@kondor.ii.uib.no (Gisle S�lensminde) wrote:
> They are on by default

There is no concept of what default means in the RM, so this
is an incorrect statement. You have to check for each compiler
what options are required.

For instance, on GNAT, the default for elaboration checks is
to eliminate them at runtime by using the much safer static
elaboration approach. If you want the less safe but standard
RM dynamic checks, you must use -gnatE. We chose the default
here quite deliberately, because we think that most users should
be using the static elaboration scheme, at least for new code.



Sent via Deja.com http://www.deja.com/
Before you buy.

Re: FY Ammo: Study about Security Bugs

[Robert Dewar]

In article <m3yabltvy5.fsf@kiuk0156.chembio.ntnu.no>,
  Preben Randhol <randhol@pvv.org> wrote:

> Which pragmas do one have to set to turn the checks on (if not
> by default). Looked at the Annex L in RM, but it didn't make
> it clearer.

The RM model is that checks are on and can be optionally turned
off. All Ada compilers must have a mode in which this required
RM semantics is provided. Check with your vendor and/or read the
vendor documentation to determine the details for this mode
(note that the validation VSR shows what options were used for
the validation tests, and this will of course also show how to
operate in this mode).

The RM has nothing to say about what "by default" might mean,
since this is clearly an implementation dependent, OS dependent
concept.

In GNAT, there is a pragma Unsuppress (now being discussed for
semi-standardization) that can be used either as a configuration
pragma, or locally to ensure that checks are on, even if they
were turned off at the command line level. Unsuppress has
exactly the same form and usage as Suppress.

Robert Dewar
Ada Core Technologies


Sent via Deja.com http://www.deja.com/
Before you buy.

Re: FY Ammo: Study about Security Bugs

[Keith Thompson]

Robert Dewar <dewar@gnat.com> writes:
[...]
> In GNAT, there is a pragma Unsuppress (now being discussed for
> semi-standardization) that can be used either as a configuration
> pragma, or locally to ensure that checks are on, even if they
> were turned off at the command line level. Unsuppress has
> exactly the same form and usage as Suppress.

BTW, TeleSoft's Ada-83 compiler had a pragma No_Suppress with the same
semantics.

-- 
Keith Thompson (The_Other_Keith) kst@cts.com  <http://www.ghoti.net/~kst>
San Diego Supercomputer Center           <*>  <http://www.sdsc.edu/~kst>
"Oh my gosh!  You are SO ahead of your time!" -- anon.