Schneier on Security

ab praeceptis • April 22, 2017 1:42 PM

Winter

Dutch journalist have used data from human rights activist

“dutch” – as in: The country that signed an agreement that a) ukraine – i.e. one of the suspicious parties – is participating in the “investigation” and b) – that’s where it gets smelling and obvious – a final report must be agreed upon by every participating party, i.e. anything ukraine doesn’t like will be kept secret.

“activist” – Pardon me but activists, as much as they are beloved, in the us of a dominated part of the world, and what they say, are not evidence.

How about THINKING for a moment? The dutch “investigation” is now going on for years and still they have only “preliminary reports”?
If they had anything that could and would be ripped apart they would have certainly presented it to the world.

A) and b) are irrelevant and c) is simply not true.

So, being there legally and 95% of the people there are irrelevant? So much for your attitude re. legality and democracy …

C not true? How about, just for a change, once actually informing yourself?
Crimea was given by chrustschew as a gift to ukraine. That’s a historic and verifiable fact. And that act was illegal in violating the constitution, but, of course, in USSR times nobody questioned the party leader.

Anyhow, Russian government lied with a straight face about the involvement of Russian soldiers in the annexation of Crimea

The one who lies here is you.

Russia, e.g. president Putin himself, not only did not deny having played a role in Crimea but he actually speaks openly and publicly about it. There is i.a. a film about it and some interviews with Putin. He never denied that russian troups were involved in securing Crimea.
Btw. what happened can not possibly have been an annexation because that would require it to have happened against the will of the people, >95% of which actually welcomed Russias involvement as well as becoming a part of Russia again.

Go and look up “annexation”. Being at that also have a look at former Yugoslavia or even at Germany. In both cases the people have not been asked and there was no referendum.

It’s over and over again the same getting boring story: If the us of a does something really illegal it’s painted as nice and good whereas Russia could give away her oil for free and they would still be painted as evil.

ab praeceptis • April 23, 2017 8:03 PM

Thoth

Browser based javascript encryption? Brillant!

And after all, what could possibly go wrong entrusting your security and privacy to encryption done in a typeless language running on a bug zoo interpreter which again runs within a bug zoo browser? Excellent solution! Also saves nsa the trouble of starting up their toolbox.

I’d like to commend you for your decision to put no-brain-file on the holidays list! It’s certainly well deserved.

If I may: It seems you have forgotten to put tls on the list (which will soon provide ‘security’ in the freakshow called ‘your browser’!)

I want tls 1.3 done in javascript! For windows xp!

Very much looking forward to your card …

ab praeceptis • April 24, 2017 9:19 AM

@Thoth

Who do I trust for rating SSL/TLS/..etc.. (in)security ?

That’s simple: None of the above.

Why? For a start because they do not examine the security of ssl/tls but rather the way somebody employs ssl/tls implementations.

Or, in other words: ssl-labs et al. do not tell whether a given site is secure. What it does tell is whether the site (admins) at least try and hence and in conclusion whether they at least seem to care about security at all.

Sidenote: The admin I know who do test their own sites with ssl-labs or similar actually do it for completely different reasons. They do it because they know that some of their visitors/clients/customers do take that quite seriously. One worded it nicely “people wanna see much green, no yellow and absolutely no red”.

@Dirk Praet

until – like @Thoth said – the availability of a microkernel based OS that is both stable and usable, or @ab praeceptis publishes the specifications of his personal high security set-up.

It might surprise some but I surf using linux (not Mint but anyway). On a separate box (using the miracles of a kvm switch). The reason is partly simple and partly somewhat less so.

For a start I do not at all trust the web. Not with and not without ssl/tls. Period. Hence a separate air gapped box which gets completely wiped (modulo some preferences and bookmarks) quite frequently.
Moreover, as some might know, I do not believe in the sectarian “obscurity is no security” credo. Quite the contrary; encryption is professional high quality obscurity. This also means that I know about the quite relevant power of “do not stick out like a sore thumb but swim within the masses”.

For work I use a hardened FreeBSD. For the same reason I stopped using OpenBSD many years ago (although I liked and still like OpenBSD): More drivers, more software etc. It’s simply the sweet spot for me, considering what I need for work.

Now to the more interesting parts …

I’m very closely following Minix3. It’s quite well done, albeit in C (keep in mind that Tanenbaum also created ACK which supported Pascal). I did not yet really test it as it’s not yet in a state where I want to use it but judging from some “quick shot” test with cpachecker and predator code quality is quite OK.

As soon as I feel Minix3 is ready for serious use I’ll switch my development over. 3.4 might be the version. I’ll see (and do more tests).

Why: Because I consider Minix to be secure? No! But because I consider it far less vulnerable than the monoliths.

For cases where I need more security (than a “reasonable everyday box”) I’m looking into muen with either minix or, when possible, rtems on it for the “public side” (say, a messenger client) muen wired to a secure minimal OS which does the sensitive parts.

The problem is this: Pretty everything out there is bloated and fat beyond hope. If a client needs, say, some highly secure link between some industrial sensors and actors in installations far outside his headquarters, that may sound complicated but is actually easy to do because I control both sides (and the bandwidth needed isn’t high).
Where it gets ugly is when you do not control both sides (or, god forbid, not even one) and/or when you need the internet. there are simply too many abcesses and plague-spots. As far as I’m concerned it doesn’t even make sense to try.

What the hell can you do when your client tells you that he needs to connect an old windows xp box (running some aeons old software that is critical and irreplacable for him) to, say, some linux box far away? No matter how well you design and code, you’ll be fu**ed.

My solution is to use whatever there happens to be (say the win xp box) and to outsource security so as to make the win box never ever see clear text. In a way similar to what Thoth does, with the main difference being that I wouldn’t trust even a half rotten penny to anything even remotely java infested.

Now, before some of you think that my way is better than Thot’s: Nope, it isn’t. It like so often in engineering, comes down to a decision, to a compromise. Thot’s approach, for example, has the advantage of being much cheaper than mine and working with more off the shelf bits and pieces. Mine is quite probably more secure but quite expensive and only worth to do in either extreme security needs or very high numbers. I try to compensate that somewhat by trying to use widely available or cheap to design and build hardware (like simple no-TZ Arms) and trying to design my software as modular as reasonably possible.

Btw: For my own use I have decided to extend that to a triple stage solution, i.e. e.g. Minix for everyday work plus a Muen w/rtems plus secure Min(mal) OS, where all encryption is done within the sec. Mini OS and transferred through Hypervisor provided channels to rtems which I use e.g. for text entering, some storage (encrypted), text viewing, etc. It’s in a way a secure terminal that can also e.g. server for secure messaging. If the results of anything are needed on the Minix “main workstation” I transfer it by SD card or similar (not usb).

That said, I’m obviously a weird paranoid security freak and my solution is almost certainly not what most of you would like for everyday use. For that I think what Dirk Praet said is a quite reasonable approach.

One final remark One of my rules (that unfortunately is not yet fully doable) is to only accept building blocks based on Ada or at least Pascal or Modula. But I’m getting closer. With some luck I’ll find the time to redo Minix in Ada.

ab praeceptis • April 24, 2017 9:34 AM

Winter, Matthew

I did answer you but for whatever reasons the system here eat and vanished my post.
As I do not think that’s mere coincidence I won’t try again. Sad, sad thing but oh well, that’s how things are …

ab praeceptis • April 24, 2017 10:48 AM

Moderator

A profanity filter? Amazing. I don’t have the slightest idea what could have triggered that.

As for your offer to try again: Thanks but thanks no. I do not indulge in lotteries.

@Winter, Matthew, et al.

I’ll leave it at some short statements, namely a hint to some globally established principles of justice:

• accusations must be proven.
• one is to be considered innocent until proven otherwise.
• justice must be based on evidence and facts and not on emotions.

Is there any proof that Russia or the Donbass people have shot down MH017? – If yes, provide it; if no, shut up and stop slandering and smearing russian people who are to be considered innocent!

ab praeceptis • April 24, 2017 12:17 PM

Wallflower

(Funny, how many names are used …)

For a start: No that territory is not russian controlled. That territory is controlled by ukrainians a majority of which happens to be ethnic russians.

I’ve read that there are many ethnic chinese in southern california. If one of them happend to, say, go on a killing spree, would that somehow make that a crime of China? I don’t think so.

Moreover: Why did that airplane fly over a war zone in the first place? It just so happens that the air control in charge – who should have diverted the plane as it did with most others – was in a ukrainian (as in “not russian ethnic”) city and under the direct control of a staunch supporter of the maidan (kolomoisky).

So: How come that the maidanists helpfully presented a target for the evil “Russians” to shoot down?

The Russians have not given us a satisfactory account

That’s idiotic bullsh*t to the square! “The Russians” have to give no account at all.

You have no proof whatsoever that Russia was involved in any way. Moreover it is not the defendant who has to prove his innocence but the accuser to prove the defendants guilt.

That is a globally accepted principle of law which weighs a thousand times heavier than your emotional but empty-handed witchhunt.

ab praeceptis • April 24, 2017 3:07 PM

Nick P

Ad “NNCP” and “noise”, your recommendation:

Well, I had a quick look over some of their (noise) code and I was very disappointed.

For a start, there is not even an attempt of proper verification in their C code (which they themselves call the reference).

I picked a piece of noise code, namely protocol/rand_os.c, i.e. some piece that is well suited to gain some impression of their coding quality because there are quite some spots that can be done well … or not. It’s also often a good spot to look at because it has both unix and windows intricacies such as windows (of course!) not offering a reasonable and simple read_from_random_device functions but a weird construction. Note that right at the start the author promptly falls into that trap and #defines along the intricacies instead of properly resolving the problem.

(My annotations are the comments with 3 asterisks.)

#if defined(linux) || defined(__linux) || defined(__linux__) || defined(__APPLE__)
/*** arbitrary exclusion of BSDs! ***/
#define RANDOM_DEVICE   "/dev/urandom"
#endif
#if defined(__WIN32__) || defined(WIN32) || defined(__CYGWIN32__)
#define RANDOM_WIN32    1
#endif

/*** Would have been better to 
const char* unix_rnd_dev = "/dev/urandom";

and then if #defined /*unices*/ #define RANDOM_WIN32 0 #else /* windows*/ #define RANDOM_WIN32 1
and later check for RANDOM_WIN32 being 0 or 1. If 0 then read from const'd file ***/

/**
 * \brief Gets cryptographically-strong random bytes from the operating system.
 *
 * \param bytes The buffer to fill with random bytes.
 * \param size The number of random bytes to obtain.
 *
 * This function should not block waiting for entropy.
 *
 * \note Not part of the public API.
 */
void noise_rand_bytes(void *bytes, size_t size)
{

/*** Grave problem: ‘size’ vs ‘bytes’ buf size unchecked! ***/

#if defined(RANDOM_DEVICE)
    int fd = open(RANDOM_DEVICE, O_RDONLY);
    if (fd >= 0) {
        for (;;) { /*** Bad! At least use "while(1)". Better: loop over errorFlag being false like this:
            ssize_t retVal = 0; while(retVal != -1) /* error flag */ retVal = read ...***/
            int len = read(fd, bytes, size);
            /*** Why int? return of read() is ssize_t on unices ***/
            if (len == (int)size) { 
            /*** bad! First check for error, only then for other conditions! ***/
                /* We have the bytes we wanted */
                close(fd);
                return; /*** Bad! Don't return out of loop! ***/
            } else if (len >= 0) { /*** nonsensical ***/
                /* Short read - this shouldn't happen.  Treat it as "no data" */
                break;
            } else if (errno != EINTR) { /*** Bad: case comprehension ***/
                /* Some other error than "interrupted due to signal" */
                perror(RANDOM_DEVICE); /*** Bad: Assuming healthy OS state plus mixed reporting ***/
                break;
            }
            /*** potentially de facto blocking - contrary to statement above ***/
        }
        close(fd);
    } else { /*** Bad style. Always comment at least lengthy and stacked if cascades ***/
        perror(RANDOM_DEVICE);
    }
#elif defined(RANDOM_WIN32)
...
#endif

( I tried with pre tags. If I failed at formatting, apologies)

Note re. the grave buffer problem: Some might say “but ‘size’ was given in the param!” – Nope. At the very least it’s dangerously ambiguous. ‘size’ is, in the given context, assumed to be the desired number of bytes and not the size of the buffer (which may or may not be related). Accordingly, good standard practice is to give both. A correct version would be “noise_rand_bytes(void *bytes, size_t buf_size, size_t req_size)”.
Moreover, that being C, it should be assumed that buf_size must be >= req_size + 1 due to C needing \0 to determine string size.

Sorry, but from what I see noise (and anything based on it) can not be responsibly recommended.

ab praeceptis • April 24, 2017 5:13 PM

Yeknom Edoc

“The type of len is int to match the ssize_t coming out of read()” – that’s probably what they thought, yes. But it’s wrong. Look, where the int comes from: from the declaration of len (they initialized it with the read call). They could, however, as well have (correctly) made len an ssize_t.

Ad string size param and \0:

Sorry, that’s wrong. The proper reasoning is As C strings (char arrays) do not have a length with them (unlike e.g. Pascal strings), one should always feed string parameter as a pointer plus length couple. This is also true for arrays in general, string just being one case of those.

Ignoring that lead to a grave buffer overflow problem. Very, very, very bad coding.

Ad “style” comments: Nope, those aren’t about style; they are about readability which is directly related to safety. I do that even in Ada which is *much better readably anyway (“if foo then … end if; — foo”).

Even more grave, one first tests for failure, i.e. something like “if retVal < 0” and only then for details like what kind of error, whether a retrx makes sense, etc.

Also, C having no error propagation (like exceptions) one would make that whole function return a status rather than void (which makes it a procedure). That again would help in designing the whole mechanism better.

ab praeceptis • April 24, 2017 7:11 PM

What?

So?

Or am I supposed to guess what you mean or where you feel to so a contradiction?

ab praeceptis • April 25, 2017 5:05 AM

@Nick P

“It’s Noise versus them rolling their own.” – Is it? Tell me difference between noise implementing crypto lousily and some Joe or Jane implementing crypto lousily.

And sorry, but an implementor sh*tting on the rules of the trade and fumbling buffer bugs is not something to mildly look at.

Case closed, death sentence stays.

@Thoth

Apologies, I’m somewhat late. Congratulations! May the amount of rubles, renmimbis, and euros be no smaller than but rather a multiple of the amount of work you put into that product! I wish you plenty success (and, yes, I’m of course exitedly waiting for the holiday card *g)

ab praeceptis • April 25, 2017 5:29 AM

Ratio

(me) insist on … Ada or at least Pascal or Modula.
(you) Why? What are the pros and cons of this (seemingly rather arbitrary) restriction?

Really? How many more times do I need to put that into the text box? Just look at the given case, the array parameter problem. I the languages I insist on (well, as far as any possible) an array or string always comes along with its size. Moreover iteration from First to Last can be done. Plus implicit domain specs, and much more.

for (;;) vs while (1): Meh. People like their idioms …

That’s a valid observation but also one (of many similar) that brought us to where we are – deep sh*t.

for and while are conceptually quite different constructs. One is about iteration, usually with some control of the iteration mechanism, while the other is about one condition being true or not.

You loop on short reads, and that’s spelled while (len < size)

Nope, not in security minded development. There the first question to ask is “was there a problem”, which among other things also means “is any of the related variables (such as the one against which you’d like to test) even reliable and meaningful?”

Yes, len does happen(stance by some intentional or not design decision) to work with your construct but you ask the wrong question by asking two questions in one.

If you want safe and reliable code you first ask “did it work properly?”, i.e. you test against -1 in the case of read.

Also note that the followup is quite different. If it did work you look for quite different information (such as len == size) than if there was an error; in which case you examine errno.

passing a buf_size: What do you think that achieves? Comparing buf_size and req_size won’t tell you the size of the buffer, so it’s still the caller who is responsible for supplying noise_rand_bytes with a buffer that’s large enough for req_size bytes.

Already answered above. Using a buffer whose size is not known is playing lottery, simple as that. Moreover – read their comments! – it is unknown whether the buffer at least ends in \0 and all chars before the end are != \0. Hence we can not even reliably find out about it’s size. We have to rely on the caller providing reasonable parameter – a bet that has been lost many times, even in “secure” code such as openssl.

Finally, the fact that C does not provide for using Hoare triples does – and should! – not mean that one should not internally work like that, at least in the mindset.

Security needs verifiably correct code. Unfortunately, usually it’s rather in a grey zone. The worst case if if it’s verifiably not correct – which I demonstrated for noise.

Also note (I’m surprised that it seems nobody took that seriously) my comment (in the code fragment) about being potentially being de-facto blocking while the header comments expressly assert it’s not blocking.
One reason? The “for(;;)” construct you defended. This whole thing is effectively a uncontrolled loop based on not provably holding assumptions.

ab praeceptis • April 25, 2017 7:08 AM

Dirk Praet

… Minix3 microkernel + NetBSD userland setup, but … that sounds a bit like a dead end for a general purpose OS.

It’s not meant to be (at least not by myself. Tanenbaum might have a different view; he since quite a while calls Minix3 “netbsd done right” (his meaning, my words)).

But then, nsa doesn’t care about your gaming and you probably don’t care about them knowing what music you’re listening to. In other words: Not everything must be protected, at least not at the same level.
What needs to be protected? Some data, much of communication and (actually not much) browsing (like online banking).

An OS for that or what I call the “reasonable compromise system” must hence allow to store and organize data, to communicate, and to do some browsing and not much more. That’s feasible, that’s a reachable target.

…Muen sounds interesting too, but I cannot shake the feeling that none of these are prime time ready…

Depends again on ones needs. I use something like Muen (but not Muen) to keep the “reasonable compromise system” and the “security dongle” separated and at the same time connected through safe channels provided by the hypervisor (For hardcore security those 2 are separate hw systems but for my private use (as in “nsa has more attractive targets than me”) a virtualized platform seems good enough and it’s anyway dimensionally more secure than what’s commonly used out there.

Also keep in mind why I’m looking at Minix. It’s not because it’s secure (it isn’t). It’s because it’s not a monolith and Tanenbaum had safety as one criterion early on, so it’s much less vulnerable and sh*tty than all the monoliths.

Some interesting side note: After some first worries I actually like the fact that there aren’t that many packages available (about 5k or so) because that softly forces me to have a closer look at the source code of my favourite tools (which are of course not available as click and run packages). I’ve learned that properly designed ones will be ported (or simply adapted) without much hassle while badly designed ones, like e.g. strongly rooted in linux ones. will cause problems (and hence make me think about replacing them).

ab praeceptis • April 26, 2017 3:53 AM

@Thoth

You mentioned Moxie which inspired me to add Signal and Whatsapp into the Hoilydays list.

Finally. And: Well done.

@Nick P

That’s vanilla Minix 3 that i can tell. It’s a microkernel, some user-mode components, and a NetBSD userland.

Correct. And as I repeatedly said I do not consider Minix3 to be secure. But it’s a very major progress in terms of security as a microkernel has a dimensionally smaller attack surface. So it’s less insecure (as I also repeatedly said).

It’s possible ab praeceptis adopted some good tech we posted.

Wrong. I had my basic concept long before I started to read here. I’m also observing and playing with Minix3 since quite some years now.

Also, one must certainly not be a guru to come to the conclusion that microkernel is the way to go. Where one must, however, have some guru-quality is when concretely designing and implementing.

Moreover you, like quite often, tend to value knowing (of something) too high and doing/implementing something far too low.
Trying Minix or Fiasco is a no-brainer and so is using libsodium. Really understanding it is already somewhat harder – but still not enough for a good solution. To achieve that one must know much more, chose wisely, specify and design properly (with verif. in mind). Example: Alone the seemingly simple question of chosing a prng quickly turns quite complicated when looking (and identifying in the first place) all the relevant factors and also how to use them. Example: It is quite desirable for some kinds of projects to not use 1 but rather, say, 32 prngs, one of which is is used at any given point in time. How to chose that one? Using prng #33? Nope. For that you want to have a different prng type.

Let me be frank about my worldview and some personalities here:

I quite rarely read our hosts blog posts; I perceive them as gazette like (which is OK as many seem to like that; it’s just that I subjectively am rarely interested in them).
You, Nick P, have that function for me; it’s your posts that I read with the expectation others have at HN or here. You are quite good as news aggregator for the field I’m interested in, plus occasionally I find one of the papers you mention interesting.

Clive Robinson – no need for comment. He’s the wise man with lots of experience, always polite and friendly and he usually damn knows what he’s talking about. Lots of actual experience pay off.

Thoth I see as a brave sleeves up guy. I value that a lot. We need that kind of people who build swords to fight the dragon. Plus, based on lots of work (and studies, I guess) he also knows what he’s talking about.

As for myself, I don’t ask for advice and I very, very selectively take it. Nothing wrong with the people here; it’s just that I’m wired like that. I want to know and to understand myself down to the damn bits. And I’m knee-deep in the matter practically.

Rest assured that I never ever took any idea from here. I highly value our hosts excellent work; after all, blowfish is still standing after far more than a decade, so Bruce Schneier has earned the golden stars on his chest. But even from him I did not take ideas; I do, however, think about his thoughts (insofar as they are about my field and not more or less political).

Don’t get me wrong. You are a good quality has-read-about-a-gazillion-things man. As I said, I do value you as an IT security gazette but you are definitely not the source for anything I’m working on.

ab praeceptis • April 26, 2017 4:48 AM

Winter

Cute attempt.

Just one recent case: us of a accuses the syrian government to use sarin against civilians. Of course, like usual, the us of a does not provide any evidence (and lies). What it does provide is “information” from social networks (read: bla bla) and a “report” from the white helmets, a “humanitarian organization” – known and proven to be part of the terrorist groups. That report is proven false within days.

Yet, some days later the us of a attacks Syria, a sovereign country with tomahawks. That was a criminal act, simple as that; the international law is very clear about that. The proper and only legal way for the us of a would have been to turn to the un. To attack another state without a valid mandate from the unsc is criminal.

ab praeceptis • April 26, 2017 10:34 AM

Nick P

Hahaha – indeed joyful. Thanks for bringing that hero to my/our attention!

I’d also like to mention that I think his comparing himself to a doctor working with chemotherapy is a good one. (not only) iot has indeed become a cancer.

ab praeceptis • April 27, 2017 5:59 AM

Ratio

Right, read and noise_rand_bytes don’t do that. Such dumb circles. Wait, what?

ssize_t read(int fd, void *buf, size_t nbytes)
void noise_rand_bytes(void *bytes, size_t size)

Oh…

The size parameter in both cases is the desired numbered of byte (not the size of the buffer). That may or may not have been chosen (wisely or not) in relation to the buffer size. Note that it is perfectly well feasible to call noise_rand_byte with an 8 byte buffer but desiring 20 bytes of random. noise_rand_byte wouldn’t – and couldn’t – notice or complain. They btw. also just assume that ‘bytes’ is not NULL.

but then why do you only accept building blocks based on Ada or at least Pascal or Modula

Multiple reasons, one being the properties I talked about. Let me put it by looking from the other side: I would do accept tools (not libraries) developed in e.g. Haskell or Ocaml. But I try to avoid C, C++, java, and even Rust because those using that translates to not having understood some important basic principles. I want to note for the sake of fairness that both Rust and java have understood at least part of the problem (but still not others, e.g. the importance of readability).

I’m willing to compromise, though, when such a project at least has (not toy) verifier annotation such as esc or acsl and I find those done well and knowledgable.

Finally, you see, I do this for a living (as well as with my heart in it). No matter how good (or not) I work, the end product will be lousy if the libraries are lousy. So, if I aim for a good quality result I just have to have reasonable quality criteria throughout the whole project.

No flaws in their design? Not a single one? No trade-offs that could, and maybe should, have been made differently?

Certainly. I actually mention some myself. Also Wirth obviously saw flaws in Pascal, so he created Modula, and in Modula-3, on which he advised but didn’t fully join. I didn’t say those languages are perfect – and that’s not my position; my position is to chose the best tools out of an available set.

But to make you happy: I hate Pascals ‘end[dot]’ logic. It’s perfectly logic from a theoretical point of view but not from a developers view. Ada does much better. I also dislikes Pascals file handling (e.g. “assign”); I find it unnecessary strange.

Modula-3, which I really love(d) had a problem that was grave enough to all but drop it. It has no real unsigned type. That’s just an implementation error but one of such gravity that I came to the conclusion that I do not trust those implementers anymore.

I have learned a lot along my way and if I use pretty much exclusively Ada and C (heavily ACSL guarded and coding paranoically defensive) I have reasons for that. Example: Ada, unlike Modula-3, has a sizeable force behind it. I like brillant loners but to properly implement and keep alive a language one needs more (and good quality) people. As for C I still value it for jobs close to the hardware and as a meta assembler. But then, I have decades of experience and having collected enough “war wounds” I don’t use it arrogantly or carelessly anymore plus I double- and triple-check and verify.

Any other languages that you think are that close those perfection (for your field, not withstanding terminology, etc)?

No, not really. I do value a few functional languages like Ocaml and generally ML but I accept them only in fields then lend themselves well to functional programming (best example: the PL and verif/analysis field). I highly value Prolog and Setl for reasoning, toying and domain guessing, checking and verification. I like Python insofar as it’s the least dirty of the big script languages (and now even has static types available) but I use that only for really quick and dirty and basically throw away after use code. I would like Haxe/neko a lot more if they were not so obscenely flash oriented (also in tools).

For work, however, it’s pretty much Ada and (paranoid, anally defensive mode and extensively checked and cross-checked) C.

If, as you say, it’s a question of mindset, there is no wrong

Unfortunately there is a wrong. Just look at all the deep and wide sh*tholes the C mindset has landed us in.
And no, it’s not about opinion. Re. opinion I’d agree with you, but in our case there is a ruler built in along which to measure. After all we’re not talking as philosophers but as engineers and not as theoreticians but in the context of major gaping security holes.

Let us have that discussion again when you can tell me that using (widely available) communication channels that are provably secure and confidential (which includes trustworthy hardware, too). Until we have reached that point I will stay a paranoid, strongly principled, often unnerving a**hole and take the liberty of calling 99% of C/C++/java and the like developers irresponsible fumblers and gamers.

But C has a for loop of a different type. Among other things, it lets you specify the initial state, the condition, and how the state changes after each iteration in one place. It’s not about executing a block of code once for each element; conceptually, it’s more like a while loop. The choice between the two, and the resulting idioms, is then one of style.

One can look at it that way but I’d strongly advise against it. “Until the day that the sun will not rise in morning thou shallst …” is a very different concept than “for each of the animals in thy herd thou shallst …”. It is the (mistaken) very C mindset to look at everything from the practical side (having or not having understood the concept and logic behind it).

The C mindset is “Often one has to do something for a series of something, e.g. adding 5 to it. Let’s have a construct that allows for that with as little typing and fuzz as any possible”. The C mindset is to say “well there’s some kind of walker variable which changes after each step. Let’s handle that effectively, too”.

In the end C’s ‘for’ is considered by most as a “tight comfort version of ‘while’ for array and suchlike”.

Everything before the last sentence is about code organization, which is a question of style.

No. It’s a question of logic and engineering. That’s why I “underlined” that the two branches are quite different. Moreover, if the function didn’t work the variable might be in an unreliable state, depending on how the called function works inside; read, for example might or might not make sure that any parameters (one of which is a pointer, i.e. directly accessible mem.) as well as its own internal state might be reasonable and consistent or it might as well just panic and throw -1 at you. Keep in mind that seen from read’s perspective that -1 is all it ows you as errno was already set for more information.

“full” … This is abject nonsense

Sorry, no. That just shows how mistaken the C mindset is. In C there is no guarantee and basically not even anything known about a buffer. And indeed – how surprising (not)! – the noise function we looked at does not even check for NULL.

To keep that unpleasant thing short: Your view pretty much comes down to social mechanisms, to developers acting responsibly and to not utterly fck up. Because C doesn’t keep you away from creating a clusterfck.

From what I see, today C is more and more split into 2 camps. One, the e.g. Rust camp, understands that relying on programmers to not abuse the carte blanche given by C does obviously not work, so they try to create something like a more reasonable C. And then there is the other camp, who, so it seems, carefully stayed away from books about the underpinning theory and just seeks comfort in absurd assertions.

Which part of “we have arrived in a big and messy clusterf*ck in no small part due to C and C hackzors” do you fail to understand? Isn’t it evident enough?
The noise code I looked at and put here is about as irresponsible, poor, messy and unprofessional as it gets. And you are defending C code that willingly “works” even with a NULL buffer? Absurd!

noise_rand_bytes already has an argument that indicates (up to) how many bytes will be written to the buffer (as does read).

NO. NO, IT DOES NOT. Stop already repeating that nonsense! The size parameter expressly (see comment) say how many bytes it desires.
That may or may not be related to the size of the buffer. FACT is that we now nothing about that buffer. Not its size and not even that it’s existing. You rely on utterly unproven assumption, period. Yes, probably a caller would be sane enough to pass a properly sized buffer. But: Can you know it? No!

You circus has pushed us into a major clusterfck. That’s the bloody reality. Your assumption circus has failed. And you still refuse to at least recognize it as an absurd assumption cabaret. No, you even defend it. In-fcking-credible!

End of discussion.

ab praeceptis • April 27, 2017 7:28 AM

Wael

One can also return a pointer to a structure. Say, is [0,0,0,0,0,0] an empty buffer or is it a buffer of six random numbers that happen to be zero?

It’s 6 bytes of 0. The programmer and the language can consider it many things, i.a. as an initialized char buffer or even as a struct that happens to consist of 6 byte integers (in C parlance ‘char’). The degree of – btw. usually dangerous – freedom is largely defined by the language. In C one can make pretty everything mean pretty anything whereas in, say Ada, one would be strongly limited by strong static typing.

It’s good that Clive Robinson brought this up as this boundary (language – compiler code – hw) is indeed an important one. Plus, there are many other issues such as cache line sizes, available registers, etc.

ab praeceptis • April 29, 2017 7:27 AM

Ratio

openssl != OpenBSD plus: Being bound to posix, OpenBSD developers are limited.

As for caller(callee: getting bufsize from caller callee can make some basic checks. While, of course, the values given (usually) can’t be proven to be correct, you can see them a two forms of communications. One between caller and callee where, of course, caller can lie but that’s still better than “don’t know. shut up, just trust”. Plus a communication with the programmer who, by handing over a bufsize, is in the situation to expressly think about it.

Like thus: a) “Here’s a buffer. Put x bytes into it. Don’t ask, don’t think, just obey” vs b) “Here’s a buffer of size s. Put x bytes into it” (desirable: “and then let me know whether everything went OK”).

“Developing reasonably safe code in C is not possible? Or is it harder?” – It is possible but not in the way C code is created and handled in > 99% of cases. noise is just another bad case.
Which brings me to my final point and maybe the reason why the two of us differ so strongly:

Reasonably safe code in C is – as far as I’m concerned – necessarily and unconditionally verified (annotated and checked) code. Which i.a. translates to “Yes, bufsize can be checked and is“. It btw, also translates to the verifier shouting at you if you dare to not expressly give a bufsize. Being at that, so do even lowly Misra checkers and the like.

ab praeceptis • April 30, 2017 6:06 AM

Clive Robinson

I seem to be the bad guy around here, the one with whom one likes to quarrel before taking any point, no matter how evident. You, on the other hand, are the well accepted, well liked, well (and soft) mannered, always friendly and patient (plus native english speaker) man with lots and lots of knowledge around here.

Maybe they’ll take it from you. I’d hope so.

Thanks also for hinting that well designed languages aren’t slow anymore. And btw. I remember the old Turbo Pascal times; yes, I could do somewhat faster code in C but generally speaking Turbo Pascal code was certainly not slow.
And frankly, those “If you need fast code you need a powerful hardcore language (usually meaning C) and not a whimpy safety obsessed one like Pascal” isn’t exactly bright anyway. That attitude is quite similar to vendors showing performance graphs with a large offset so as to make their product look much superior when, in fact, the difference is rather small.

Why? I sometimes needed something (like e.g. md5) really fast. In those cases I invariably turned to ASM. Speed gains (vs. C -O2) were 5 to 10 times faster and even 50 times faster are not unheard of.

So, when putting things properly into perspective the difference between C and Pascal, Modula, Ada are ridiculous and insignificant anyway – but with C being one the ugly side in terms of reliable and safe code.

Being realistic and bringing the real costs of development and of bugs into the equation, Pascal or Ada shine and might well be the real winners.

ab praeceptis • May 2, 2017 9:17 AM

Ratio

I’ll end this now. It’s obvious that you keep on just to somehow “win” no matter what. Moreover, pardon me, it’s obvious that you either haven’t understood some relevant and important concepts or don’t care about them.

You think doing safe, let alone secure software in C and in the “common C style” is great? No problem, I wish you lots of fun with noise, openssl, and other fruits of C hacking.
Have a nice day.

ab praeceptis • May 2, 2017 8:37 PM

Ratio

No further comment. Have a nice day.