Yeah, I think you are right about asprintf (though I have never used it).

I can't count how many times I've seen silent truncation due to
sprint. Most recently, I pointed it out on some SE Android patches
(Android port of SE Linux) that passed by the NSA sponsored mailing
list. They went unfixed. Amazing.

Jeff

Good point. A noexec stack or noexec heap can be costly if using PaX.

What abstractions does Autoconf have to identify platforms and
security measures so a maintainer can supply one configure that works
for all platforms and architectures? For example, noexec stacks should
be enabled by default on x86 and x64. To split hairs even further,
noexec stacks should be on by default for x86 and x64, while noexec
heaps should be in effect on Gentoo systems running on x86 and x64.

Leaving these security related decisions to developers has a history
of failures due to gaps in awareness and knowledge (confer: audit the
software at ftp.gnu.org). In this case, Autoconf can close the gap and
be part of the solution.

Jeff

On Tue, Dec 18, 2012 at 1:48 PM, Bob Friesenhahn
I think your arguments make a lot of sense and I would like to agree with you.

Unfortunately, the folks at Red Hat provided a "proof by counter
example" with the recent MySQL 0-days
(http://www.h-online.com/security/news/item/MariaDB-fixes-zero-day-vulnerability-in-MySQL-1761451.html).
I would have expected Red Hat security folks to be on top of it,
especially with a high risk application such as a database that
accepts input from the network (some hand waiving since PHP is likely
in front of it).

In the recent MySQL 0-days, the developers (MariaDB) and the platform
(Red Hat) both failed. Its been repeated time and time again
throughout our brief history.

Jeff

Hi Bob,

On Thu, Dec 20, 2012 at 3:24 PM, Bob Friesenhahn
Well, I can't think of a situation where an abort or crash is
preferred over gracefully handling a failure that could be handled
with an exit. In this case, the program is already in a code path -
why not just fail the function rather than abort? But then again, I
don't think like many others (as you can probably tell). So I could be
missing something.

In the case of a bug with known security implications (a detectable
stack smash, for example), include a "last line" defense that ensures
the program does not proceed (such as an OS initiated termination).
There is a subtle difference: in one case the program is calling
abort(); while in the other the OS is calling abort().
I understand its not "one size fits all," but I'm not proposing
anything evolutionary either.

All I ask is that a program properly handle its use cases (including
negative cases). The program should exhibit well defined behavior (its
an attribute or emergent property of being correct). Part of
exhibiting well defined behavior is having an understanding of your
tools due to things like Debug/Release and NDEBUG.

Folks *have* to be responsible for their programs. They can't keep
passing the buck and hope someone else will take care of it. The
operating system or Distribution Maintainers should not have to do
these things for developers.

Jeff

Hi Russ,
So, I somewhat disagree with you here. I think the differences are
philosophical because I could never find guidance from standard bodies
(such as Posix or IEEE) on rationales or goals behind NDEBUG and the
intention of the abort() behind an assert().

First, an observation: if all the use cases are accounted (positive
and negative), code *lacking* NDEBUG will never fire an asserts. The
default case of 'fail' is enough to ensure this. You would be
surprised (or maybe not) how many functions don't have the default
'fail' case. Any code that lacks NDEBUG because it depends upon
assert() the abort() is defective by design. That includes the ISC's
DNS server and their assertion/abort scheme (critical infrastructure,
no less).

Under no circumstance is a program allowed to abort(). It processes as
expected or it fails gracefully. If it fails gracefully, it can exit()
if it likes. But it does not crash, and it does not abort().

Here's the philosophical difference (that will surely draw criticism):
asserts are a debug/diagnostic tool to aide in development. They have
no place in release code. I'll take it a step further: Posix asserts
are useless during development under a debugger because the eventually
lead to SIGTERM. A much better approach in practice is to SIGTRAP.

Code under my purview must (1) validate all parameters and (2) check
all return values. Not only must there be logic to fail the function
if anything goes wrong, *everything* must be asserted to alert of the
point of first failure. In this respect, asserts create self-debugging
code.

I found developers did not like assert in debug configurations. They
did not like asserts because of SIGTERM, which meant the developers
did not fully assert. That caused the code to be non-compliant. The
root cause was they did not like eating the dogfood of their own bugs.
So I had to rewrite the asserts to use SIGTRAP, which made them very
happy (they could make a mental note and continue on debugging). Code
improved dramatically after that - we were always aware of the first
point of failure, with out the need for breakpoints and detailed
inspection unless needed.
Probably another philosophical difference: (1) code must be correct.
(2) code should be secure. (3) code can be efficient. NDEBUG just
removes the debugging/diagnostic aides, so it does help with (3). (1)
is achieved because there is a separate if/then/else that handles the
proper failure of a function in a release configuration.

I know many will disagree, but I will put my money where my mouth is:
I have code in the field (secure containers and secure channels) that
has never taken a bug report or taken less than a handful (fewer than
3). They were developed with the discipline described above, and they
include a complete suite of negative, multi-threaded self tests that
ensure graceful failures. I don't care too much about the positive
test cases since I can hire a kid from a third world country for $10
or $15 US a day to copy/paste code that works under the 'good' cases.

Can anyone else say claim have a non-trivial code base that does not
suffer defects (with a reasonable but broad definition of defect)?

Anyway, sorry about the philosophicals. I know it does not lend much
to the thread.

Jeff

Yes, my bad. Address Sanitizer should be enabled for debug
configurations by default (along with other "program diagnostics" to
borrow from Posix).

Release configurations should leave the choice to the user.

Jeff