• Walter Bright (1/1) Jul 12 2007 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-bl...
• Lutger (15/17) Jul 12 2007 Interesting post, particularly the comment about iterators. It raises
• BCS (39/64) Jul 12 2007 Safe(er) delegate could be made by implicitly adding guards to stuff
• Manfred Nowak (26/27) Jul 12 2007 One of the main things I am after are protocols especially for
• Clay Smith (7/29) Jul 13 2007 Currently, if you don't 'new' your class, you go to crash land. Isn't
• Georg Wrede (3/4) Jul 13 2007 Lest anybody here has an insufficient awe and respect for Andrei, just
• Sean Kelly (4/9) Jul 13 2007 I think there's an up and a down side to having your name be synonymous
• Bill Baxter (3/11) Jul 13 2007 Because the blogger uses the phrase "Alexandrescu-understandingy C++" ??
• Walter Bright (7/13) Jul 13 2007 Once you work through the complexities of the C++, what Andrei is doing
• Sean Kelly (9/14) Jul 13 2007 I was trying to figure out how to determine the return type of a member
• James Dennett (23/36) Jul 13 2007 With C++, it's trivial too, if you pick up a pre-built version
• =?ISO-8859-1?Q?Anders_F_Bj=F6rklund?= (4/7) Jul 14 2007 I'm tired of C++ period. Whether it is bashing or praising,
• Steve Teale (2/19) Jul 14 2007 I remember reading the original Kernigan and Ritchie C book back in 1980...
• Walter Bright (3/4) Jul 14 2007 D to me is as fun as the early days of C++, even more so, in fact. And
• Georg Wrede (15/16) Jul 13 2007 While I read the article, and found quite a few (to me) new problems

Walter Bright <newshound1 digitalmars.com> writes:

http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat-trip-is-spoken-for/

Lutger <lutger.blijdestijn gmail.com> writes:

Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 
 

Interesting post, particularly the comment about iterators. It raises 
the question what security related bug classes can be found in D and are 
to be aware of. I'm no expert on this matter at all but what comes to mind:

- inappropriate use of delegates (messing with the stack)
- array slices / array bounds errors
- inappropriate use of destructors (but probably not common)

Or to put it another way, if D will get popular enough via what language 
constructs will software written in it most likely be exploited?

The garbage collector implementation may have some issues? But this is 
not part of the language I suppose. And the objection that bare-metal 
(pointers) access is possible is not that relevant imho, since 1) D is a 
systems programming language after all and 2) this feature is not 
something that is the default nor is it dressed up as in C++.

Any other concerns / thoughts / recommendations?

BCS <ao pathlink.com> writes:

Reply to Lutger,

 Walter Bright wrote:
 
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your
 -black-hat-trip-is-spoken-for/
 

 Interesting post, particularly the comment about iterators. It raises
 the question what security related bug classes can be found in D and
 are to be aware of. I'm no expert on this matter at all but what comes
 to mind:
 
 - inappropriate use of delegates (messing with the stack)
 - array slices / array bounds errors
 - inappropriate use of destructors (but probably not common)
 Or to put it another way, if D will get popular enough via what
 language constructs will software written in it most likely be
 exploited?
 
 The garbage collector implementation may have some issues? But this is
 not part of the language I suppose. And the objection that bare-metal
 (pointers) access is possible is not that relevant imho, since 1) D is
 a systems programming language after all and 2) this feature is not
 something that is the default nor is it dressed up as in C++.
 
 Any other concerns / thoughts / recommendations?
 

Safe(er) delegate could be made by implicitly adding guards to stuff

this

|void fn()
|{
| void nested fn(){}
|
| void delegate() dg = &fn;
|}

becomes this

|void fn()
|{
| long now = CPUTime;
| struct Use
| {
|  long then
|  void* pt
|  void nested fn()
|  {
|   assert(now == then);
|
|   this = pt; // sudo code
|   goto _fn; // "
|
|  }
| }
| Use* u = new Use;
| u.then = now;
| u.pt = StakFrame;
| scope(exit) now = 0;
|
|
|
| void nested _fn(){}
|
| void delegate() dg = &u.fn;
|}

Replace delegates with function that do a chained call to the real thing 
after checking to see that a sentinel is correct.

Manfred Nowak <svv1999 hotmail.com> writes:

Lutger wrote

 what security related bug classes can be found in D

One of the main things I am after are protocols especially for 
interfaces.

Not so arbitrary example:

interface I{
  void bind();
  void connect();
  void down();
  void send();
  void receive();
  void close();
}

One knows far too less form seeing this.

This might be an interface for sockets where the sequence of the 
calls has to follow some restrictions that can be expressed by a 
regular expression or an even more complicated grammar.

Let me assume a regular expression is enough:
  ("bind"|)(("connect"("send"|"receive")*("down"|))|)"close"

D is currently unable to bind this information to an interface and 
enforce the appropriate call sequence in every class that derives 
from that interface.

In case of a socket this might result in a resource leak when the 
call of the mandatory `close' is not enforced.

If the optional `down' is also not called the socket might be open 
for an attacker ...

-manfred

Clay Smith <clayasaurus gmail.com> writes:

Lutger wrote:
 Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

 
 Interesting post, particularly the comment about iterators. It raises 
 the question what security related bug classes can be found in D and are 
 to be aware of. I'm no expert on this matter at all but what comes to mind:
 
 - inappropriate use of delegates (messing with the stack)
 - array slices / array bounds errors
 - inappropriate use of destructors (but probably not common)
 
 Or to put it another way, if D will get popular enough via what language 
 constructs will software written in it most likely be exploited?
 
 The garbage collector implementation may have some issues? But this is 
 not part of the language I suppose. And the objection that bare-metal 
 (pointers) access is possible is not that relevant imho, since 1) D is a 
 systems programming language after all and 2) this feature is not 
 something that is the default nor is it dressed up as in C++.
 
 Any other concerns / thoughts / recommendations?

Currently, if you don't 'new' your class, you go to crash land. Isn't 
this a potential security problem?

if (rare_path)
{
   use_class_without_init.func();
}

Georg Wrede <georg nospam.org> writes:

Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

Lest anybody here has an insufficient awe and respect for Andrei, just 
read the above reference. Period.

Sean Kelly <sean f4.ca> writes:

Georg Wrede wrote:
 Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

 
 Lest anybody here has an insufficient awe and respect for Andrei, just 
 read the above reference. Period.

I think there's an up and a down side to having your name be synonymous 
with "code no one understands."  :-)


Sean

Bill Baxter <dnewsgroup billbaxter.com> writes:

Georg Wrede wrote:
 Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

 
 
 Lest anybody here has an insufficient awe and respect for Andrei, just 
 read the above reference. Period.
 
 

Because the blogger uses the phrase "Alexandrescu-understandingy C++" ??


--bb

Walter Bright <newshound1 digitalmars.com> writes:

Georg Wrede wrote:
 Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

 
 
 Lest anybody here has an insufficient awe and respect for Andrei, just 
 read the above reference. Period.

Once you work through the complexities of the C++, what Andrei is doing 
is rather simple. It's just that C++ obfuscates everything <g>.

It's like I attended a presentation by Scott Meyers which was an 
application of C++ template metaprogramming. Most of the presentation 
was about how to do arrays of types. With D, that's trivial (as tuples), 
and the presentation would have been over in 5 minutes.

Sean Kelly <sean f4.ca> writes:

Walter Bright wrote:
 
 It's like I attended a presentation by Scott Meyers which was an 
 application of C++ template metaprogramming. Most of the presentation 
 was about how to do arrays of types. With D, that's trivial (as tuples), 
 and the presentation would have been over in 5 minutes.

I was trying to figure out how to determine the return type of a member 
function using C++ template code the other day.  Something that would 
take me two seconds in D had me tearing my hair out in C++.  The result 
is that I simply don't do much serious metaprogramming in C++ because 
the machinations required are often just a complete mess.  In D however, 
it's so straightforward that in most cases a novice could understand it. 
  This is a huge win IMO.


Sean

James Dennett <jdennett acm.org> writes:

Sean Kelly wrote:
 Walter Bright wrote:
 It's like I attended a presentation by Scott Meyers which was an
 application of C++ template metaprogramming. Most of the presentation
 was about how to do arrays of types. With D, that's trivial (as
 tuples), and the presentation would have been over in 5 minutes.


With C++, it's trivial too, if you pick up a pre-built version
(as you automatically do when you pick up your D compiler).  The
corresponding talk for D could have been on how to implement
this inside the compiler rather than as a library.  The library
version has the advantage of working with many different
underlying compilers, which is a non-issue for D at this time
(given that there are 1.5 competing D compilers).

 I was trying to figure out how to determine the return type of a member
 function using C++ template code the other day.  Something that would
 take me two seconds in D had me tearing my hair out in C++.  The result
 is that I simply don't do much serious metaprogramming in C++ because
 the machinations required are often just a complete mess.  In D however,
 it's so straightforward that in most cases a novice could understand it.
  This is a huge win IMO.

C++ will be on its second standard, with easy support for
such things as extracting the return type of a function,
before the D community is involved with straightjackets
such as standardization.

(There's a published ISO Technical Report for C++ which also
provides some interim support for this via std::tr1::result_of,
though that's markedly less elegant than the C++0x equivalent,
and can trivially be implemented in terms of decltype.)

If you're free to use the latest greatest D, you may well be
free to use not-yet-standard C++ features too.  In which case
what you mention above is trivial in C++.

I do tire of this silly C++ bashing.  D's actually not bad;
why not let it stand on its own merits rather than badmouthing
the language which most directly inspired it?

-- James

=?ISO-8859-1?Q?Anders_F_Bj=F6rklund?= <afb algonet.se> writes:

James Dennett wrote:

 I do tire of this silly C++ bashing.  D's actually not bad;
 why not let it stand on its own merits rather than badmouthing
 the language which most directly inspired it?

I'm tired of C++ period. Whether it is bashing or praising,
I would have preferred if D would stand on it's own instead.

--anders

Steve Teale <steve.teale britseyeview.com> writes:

Sean Kelly Wrote:

 Walter Bright wrote:
 
 It's like I attended a presentation by Scott Meyers which was an 
 application of C++ template metaprogramming. Most of the presentation 
 was about how to do arrays of types. With D, that's trivial (as tuples), 
 and the presentation would have been over in 5 minutes.

 
 I was trying to figure out how to determine the return type of a member 
 function using C++ template code the other day.  Something that would 
 take me two seconds in D had me tearing my hair out in C++.  The result 
 is that I simply don't do much serious metaprogramming in C++ because 
 the machinations required are often just a complete mess.  In D however, 
 it's so straightforward that in most cases a novice could understand it. 
   This is a huge win IMO.
 
 
 Sean

I remember reading the original Kernigan and Ritchie C book back in 1980
something.  I read it from cover to cover without a break, and thought wow!
This is the language for me.  After many years of diversions (often known as
work) I finally got round to taking a serious look at D, and found the
sensation much the same.  We are all on the same side.

Walter Bright <newshound1 digitalmars.com> writes:

Steve Teale wrote:
 I remember reading the original Kernigan and Ritchie C book back in 1980
something.  I read it from cover to cover without a break, and thought wow!
This is the language for me.  After many years of diversions (often known as
work) I finally got round to taking a serious look at D, and found the
sensation much the same.

D to me is as fun as the early days of C++, even more so, in fact. And 
it's good to be working with you again!

Georg Wrede <georg nospam.org> writes:

Walter Bright wrote:
 http://www.matasano.com/log/914/c-a-cautionary-tale-or-1-hour-of-your-black-hat
trip-is-spoken-for/ 

While I read the article, and found quite a few (to me) new problems 
with C++, off-hand I don't have any D suggestions now.

Additionally, the fact that Walter brings this issue up "just like 
that", should be telling of the way D is developed versus the competition!

First, we're not scared of grabbing the bull by the horns. Second, 
having D as a one-man enterprise, gives us an immeasurable advantage 
over C++ and the like. The response time, the vigilance and the 
vigorousness that this needs, simply are not possible to match with the 
bureaucracy the competition (be it C++ or Java) are dragging around.

Not to mention Walter's unfathomable experience as a compiler writer!!

---

Multiply a thirty-percent advantage over ten years, and you wouldn't 
believe the result!

And D is doing a whole lot better than that.