[bind10-dev] Socket creator and low-level code

Shane Kerr shane at isc.org
Mon Oct 18 12:30:22 UTC 2010 

Michal,

On Fri, 2010-10-15 at 16:07 +0200, Michal 'vorner' Vaner wrote:
> I and jinmei had a disagreement about the correct approach to more secure socket
> creator (which is what we want, as it is the only component that will need to
> run as root, hopefully, therefore it is more important to it to be secure).

Quite an interesting problem.

On one side, we have systems like OpenBSD who prefer highly-audited C,
because they don't trust any library to do things right.

On the other side, we have things like Java and .NET which have
elaborate systems of permissions and suchlike, because they don't trust
developers to get things right.

Both approaches have had failures. In general, this tells me being
secure is more about attitude than specific technical solutions.
Although, having said that, don't use C. ;)


Regarding this specific issue... I tend to think that the template code
to replace "raw" pointers with safer variants is likely to be so well
tested and so heavily reviewed that it is much more likely that we will
introduce our own bugs than end up with a problem due to the C++
libraries. So... I tend to agree with Jinmei, but this is only my voice
as a coder on the project at this point.


For those who have not fallen asleep, I will tell a story... 

A long time ago, when wu-ftpd was the only commonly-used FTP server, I
decided to write my own anonymous-only FTP server, because I was tired
of wu-ftpd being rooted. I decided to take the approach of writing it in
C, and of not using any libraries, because, well, writing it in C means
it is well-understood and unlikely to have any language-related security
issues, and libraries can have bugs.

This worked, fine, although of course one needs to use the system
libraries (open(), socket(), printf(), and so on).

It was a couple of years later when someone discovered that you can get
glob() to consume a huge amount of memory if you pass it wildcards and
relative directories, like this "ls ../*/../*/../*/../*". This was a
relatively easy remote DoS attack, and was issued against almost all of
the FTP servers of the day. Like most FTP servers, my FTP server also
used glob() and I had to make a fix for this issue (I did it by using
fnmatch() directly and disallowing mixes of ".." and wildcards).

The lesson I learned is that you have to be really, REALLY paranoid if
you want to avoid using ANY libraries. So you might as well not worry
too much about it, and try to use the best language and libraries for
your problems.
 
Although, having said *that*, don't use PHP. ;)

--
Shane

More information about the bind10-dev mailing list