Spot the Vulnerability: Loops and Terminating Conditions
In memory-unsafe languages like C, special care must be taken when copying untrusted data, particularly when copying it to another buffer. In this post, we’ll spot and mitigate a past vulnerability in Linux’s NTP daemon.
In many tasks we need to do something at given intervals of time. The most obvious ways may not give you the best results.
When I’m not coding the "impossible" at Art+Logic, I take a lot of interest in new programming technologies and paradigms; even if they’re not yet viable for use in production, there can often be takeaways for improving your everyday code.
My current fascination is the Idris programming language, a research language built around making dependent types practical. This is a quick primer on what dependent types are, how they work in Idris, and how they can change the way you think about types in other languages; we’ll assume no prior knowledge of Idris or of purely functional languages in general, but a basic familiarity with functional programming will make things easier to follow.
Does your business still have an XT computer in the back office because it’s running that one version of some database software that your business depends on? Yeah, we know there is. Most modern software doesn’t work like that.
If you aren’t keeping your custom software up with the changing computing environment, it will fail not necessarily because it has flaws, or the hardware can no longer meet the demand, but because the support your software relies upon has changed.
Let’s look at the vulnerabilities you must manage so that your software does not reach its end of life before losing its inherent usefulness.
We have a customer that developed a hardware device to make physical measurements. Some years ago we wrote a suite of software tools for the customer: a tablet application for configuring the hardware device, a django web server to receive uploaded XML documents generated by the device, and a user-facing web application (using the same django server), providing reporting and data analytics.
In 1997, a flaw was discovered in how Linux and Windows handled IP fragmentation, a Denial-of-Service vulnerability which allowed systems to be crashed remotely.