Secure Coding

If the operating environment is not based on a secure operating system capable of maintaining a domain for its own execution, and capable of protecting application code from malicious subversion, and capable of protecting the system from subverted code, then high degrees of security are understandably not possible. While such secure operating systems are possible and have been implemented, most commercial systems fall in a “low security” category because they rely on features not supported by secure operating systems (like portability, et al.). In low security operating environments, applications must be relied on to participate in their own protection. There are “best effort” secure coding practices that can be followed to make an application more resistant to malicious subversion.

In commercial environments, the majority of software subversion vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows¹, format string² vulnerabilities, integer³ overflow, and code/command injection. Some common languages such as C and C++ are vulnerable to all of these defects. Other languages, such as Java, are more resistant to some of these defects, but are still prone to code/command injection and other software defects which facilitate subversion. Recently another bad coding practice has come under scrutiny; dangling pointers⁴. The first known exploit for this particular problem was presented in July 2007. Before this publication the problem was known but considered to be academic and not practically exploitable. In summary, “secure coding” can provide significant payback in low security operating environments, and therefore worth the effort. Still there is no known way to provide a reliable degree of subversion resistance with any degree or combination of “secure coding”.

Notes:

¹bufferoverflow– переполнение буфера (программная ошибка, которая возникает при отсутствии или недостаточном автоматическом контроле выхода операций записи данных за пределы массива в памяти);

²format string – форматирующая строка (строка, используемая в операторах вывода, которая может содержать спецификации форматов, а также литералы);

³integer – целое число, встроенный простой тип данных;

⁴danglingpointer – указатель на несуществующий (удаленный) объект; висячий (зависший) указатель.

14. Name the main problem of the text.

15. Make questions to the text to interview your partner abour secure coding.

16. Express your attitude to the facts given in the text. You may use the following phrases:

‑ It is full of interesting information …

‑ I find the text rather / very cognitive …

‑ I’ve learnt a lot …

‑ I don’t agree with …

17. Give your point of view on possibility of using presented in the text information in your future profession.

Part C

18. Read the title of the text and say what information is presented in it.

19. Read the title of the text and express your point of view on its main idea.