| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: pauls at utdallas.edu (Paul Schmehl) Subject: Coding securely, was Linux (in)security --On Monday, October 27, 2003 10:23 AM +1100 Brett Hutley <brett@...ley.net> wrote: > > Also using these type of functions in operating system code is a good way > to create a *REALLY* S L O W system. In maybe 80% of system code you are > going to know who ALL the callers of the function are and are going to be > working with input that has already been validated further up the call > tree. Why slow this code down with unnecessary checks? Validation of > input is important when the input is specified by something external to > the system - user parameters, environment variables... > If the input is *known* or has already been validated, why would you need to check it? My point is, if you can't know what the input will be, you *must* check it. The problem is that many programmers don't think like hackers. They write code as if every user will input the correct data because, after all, they're trying to use it, not abuse it. That, of course, fails with the first person who types something incorrectly on the keyboard (intentionally or unintentionally) or when the input from some device is different than what the programmer thought it could ever be (for whatever reason.) Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
Powered by blists - more mailing lists