Wandering Thoughts archives

2009-10-11

Why security bugs aren't bugs

To a large extent, we understand how to write bug-free programs and code: you use and test the program until it doesn't crash or break things, produces the correct results, and doesn't do anything surprising (generate extra messages, pop up stray windows, and so on). There are various different ways to do this and people disagree about which approach is the most effective, but this is the broad view of how most bug-free program development is done.

('bug-free' is of course a misnomer; the goal is to make sure that the program works in general and has a very low chance of having some undiscovered bug, especially a serious bug.)

Following this general development process will not give you programs without security bugs, except through coincidence or luck. It will not do so even if you specifically attempt to test for security bugs by attacking your program with things such as input fuzzers, although you will eliminate a lot of the low-hanging fruit. We can argue about why this happens (I have my own views), but there's an overwhelming amount of experimental evidence that it does; just look at all of the security bugs in published, reasonably bug-free programs (and how many would not have been found by fuzz testing and so on).

This is why I say that security bugs aren't bugs. You can't render a program free of security bugs with the same techniques that are commonly used to render a program free of ordinary bugs. Security bugs are qualitatively different, for whatever reason, and getting rid of them requires an extra and different effort over and above regular debugging.

(Yes, security bugs are often ultimately caused by regular bugs, but they're clearly not regular bugs that are amenable to being found by our usual development techniques or we wouldn't have so many well debugged programs with serious security holes.)

My personal opinion is that neither testing in general nor obsessive error checking are sufficient to get rid of security bugs (although you will get a certain amount of low-hanging fruit). The really dangerous bugs are subtle issues that we can only currently find through outside code inspection.

programming/SecurityBugProblemII written at 00:56:34; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.