So, I was reading an article today which piqued my interest, in some ways disturbingly:
http://m.computerworld.com.au/article/314817/nicta_wins_race_secure_l4
Now, the article sites a grand achievement for a micro-kernel, especially for one focused on security. That is not my problem. The line in the article that says this was a problem for me, however:
"For example, the microkernel is impervious to buffer overflows, a common form of software attack where hackers take control of programs by injecting malicious code."
Now, I know what you may be thinking: yeah, that's great. So what?
Well, I am in many ways appalled that this is still one of the major programming security problems to date, especially since it goes back since programming first started in many ways. So, I did some research to actually see how big a problem this still is.
Turns out, if you look up buffer overflow on Google, Bing, Yahoo, etc, you end up not only getting the Wikipedia definition and status of it, but you also get tons of security firms trying to sell you solutions and training to handle this problem. And the majority of these errors comes from a single aspect of the software: lack of proper boundary checking and the size of data being written to the buffer.
Now, having gone through multiple programming courses, with focuses on Java, C, C++, and many scripting languages, this is horribly surprising that in my recollection, we never once really touched on handling a simple situation such as making sure your buffer is bounded and checked correctly.
So, this got me to thinking: shouldn't there be, at least in pseudo-code somewhere, be some list of programming patterns or such for something like this? Maybe some actual class / object patterns for this, etc?
It turns out there are, but most of them are locked in some obscure text books or completely out of the way or unrelated websites. Such as, there are patterns for a Fixed Size Buffer for Real-time Systems (example here). However, like most of these tidbits of knowledge, they are either obscured to the specific domain in which they belong, making them inaccessible to many programmers and engineers, or they are just described and no actual psuedo-code or structure is given for ideas.
So, I ask my question, why not have some common programming patterns, that everyone can find, interpret, and use?
I personally may start amassing a few of my own I've used quite often and start noting them down here and there. It may be worth someones time, and eventually, it could be compiled for more people to use.
If anyone has any ideas on some good patterns that may match this, shoot me a comment or an email, and I'll make sure to note it. I really think this is something that could be helpful to not just new programmers, but to even older programmers who often have to re-invent the wheel or remember how to do something nifty and elegant, yet simple, that they did before.
No comments:
Post a Comment