Discussion on avoiding security vulnerabilities in C++

Manfred Nowak svv1999 at hotmail.com
Thu Jul 12 19:17:14 PDT 2007


Lutger wrote

> what security related bug classes can be found in D

One of the main things I am after are protocols especially for 
interfaces.

Not so arbitrary example:

interface I{
  void bind();
  void connect();
  void down();
  void send();
  void receive();
  void close();
}

One knows far too less form seeing this.

This might be an interface for sockets where the sequence of the 
calls has to follow some restrictions that can be expressed by a 
regular expression or an even more complicated grammar.

Let me assume a regular expression is enough:
  ("bind"|)(("connect"("send"|"receive")*("down"|))|)"close"

D is currently unable to bind this information to an interface and 
enforce the appropriate call sequence in every class that derives 
from that interface.

In case of a socket this might result in a resource leak when the 
call of the mandatory `close' is not enforced.

If the optional `down' is also not called the socket might be open 
for an attacker ...

-manfred




More information about the Digitalmars-d mailing list