Software Assurance Reference Dataset
Andrew Godfrey via Digitalmars-d
digitalmars-d at puremagic.com
Tue Jul 22 09:08:37 PDT 2014
>>> My understanding is that it can be done
>>> but only with annotations or whole program analysis.
I think that's true but you don't necessarily have to annotate
every function.
a) possibly there's something interesting to do at the module
level. I think more than one thing. E.g. A module that doesn't
have any callbacks in its interface is 'interesting'. E.g.
'Layering' of modules.
b) Some situations are particularly dangerous and so a function
annotation could be encouraged for those. E.g. If you have a
recursive function without tail recursion, and the possible
recursion depth is substantial, then while it is deep in its
recursion, it should limit what other functions it calls. Someone
could come along later and add a logging statement to it, which
usually isn't dangerous but here it could be.
Quick sort is an instructive example because it has the security
weakness that, although you expect the stack depth to typically
be O(log n), an attacker in control of the input can force it to
be O(n). Of course with tail recursion that doesn't threaten
stack overflow, but it suggests that there are recursion cases we
think are safe, and typically don't fall over, but are actually
vulnerable. Which means if we don't feel like annotating them in
defense, we're being irresponsible in a way.
More information about the Digitalmars-d
mailing list