Subject: Re: FreSSH
To: Todd Vierling <tv@wasabisystems.com>
From: Nathan J. Williams <nathanw@MIT.EDU>
List: current-users
Date: 03/08/2002 01:35:08
Todd Vierling <tv@wasabisystems.com> writes:
> On 8 Mar 2002, Nathan J. Williams wrote:
>
> : I'm always stunned that people can write what they consider to be
> : security-important code in a language with as many safety pitfalls as
> : C. While [Open]SSH has had a handful of logic vulnerabilites, there
> : have also been quite a few bounds-check vulnerabilites of the kind
> : that language designers have known how to avoid for nearly thirty
> : years.
>
> Bounds checking of any kind comes with a price, whether compile-time (in the
> form of less code flexibility, such that you can't do the low level things
> that C allows), or run-time (in the form of extra compiled code to do the
> bounds checking).
Yes, bounds checking comes with a price. However:
1) We have thirty years of compiler technology that can optimize out a
large fraction of expensive bounds checks.
2) Isn't it worth paying a price for safety? That is the point of this
thread, to me; SSH is an application that should be optimized for
safety over speed.
3) The low-level things that C allows and that bounds-checking
prohibits are almost always bad ideas, unless - and often not even
then - you're pounding the metal in the low levels of the
kernel. SSH is not doing that.
- Nathan