Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Facebook Programming The Almighty Buck

Facebook Awards Researchers $100k For Detecting Emerging Class of C++ Bugs 73

An anonymous reader writes: Facebook has awarded $100,000 to a team of researchers from Georgia Tech University for their discovery of a new method for identifying "bad-casting" vulnerabilities that affect programs written in C++. "Type casting, which converts one type of an object to another, plays an essential role in enabling polymorphism in C++ because it allows a program to utilize certain general or specific implementations in the class hierarchies. However, if not correctly used, it may return unsafe and incorrectly casted values, leading to so-called bad-casting or type-confusion vulnerabilities," the researchers explained in their paper.
This discussion has been archived. No new comments can be posted.

Facebook Awards Researchers $100k For Detecting Emerging Class of C++ Bugs

Comments Filter:
  • Most casting errors will be caught at runtime. For the rest theres dynamic_cast though people tend to be too lazy to use it. Thats not a fault of the language.
    Obviously if you use C style casts then you pays your money...

    • by Viol8 ( 599362 )

      That should have read "caught at compile time"

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      dynamic_cast requires RTTI, which means you're a bit optimistic to say "Most caught at compile time, for other casts use dynamic_cast".

      Of course, templates mean that the compiler can substitute actual types. That gives you compile-time polymorphism instead of runtime polymorphism, and that in turn means you're increasingly right that most cast errors are caught at compile time. The price is unfortunately even longer compile times. Guess why I'm posting right now....

  • by Anonymous Coward on Thursday August 13, 2015 @08:05AM (#50308301)

    Thankfully, I only use FOSS software which is not vulnerable to this problem. Many eyes are sure to catch anything like this in the rigorous peer reviews that happen on every commit.

    • by Anonymous Coward

      We have applied CAVER to largescale software including Chrome and Firefox browsers, and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox, all of which have been confirmed and subsequently fixed by vendors.

    • Thankfully, I only use FOSS software which is not vulnerable to this problem. Many eyes are sure to catch anything like this in the rigorous peer reviews that happen on every commit.

      In case any readers are not seeing this statement as sarcasm, this award was given because the group found eleven previously unknown security vulnerabilities in open source code. Although "many eyes" are better than few eyes, is is naive to believe that open source code is flawless just because it is open source.

      • by Anonymous Coward

        Actually, it's more of a troll than sarcasm.

        • Perhaps it is somewhat of a troll, but also makes a valid point. (I happen to like the sarcasm as well). We would like to think that all bugs are shallow given enough eyes. It's a reasonable mantra. And closed-source software has a history of eyes being intentionally closed (and the CSO getting mad at you for reporting bugs). Simple things like forgetting to close a file can be found through sheer determination. If the software is small enough for somebody to understand the whole thing, even the more
  • by Anonymous Coward

    And Stroustrup coming in 3.. 2.. 1..

  • No they haven't (Score:4, Informative)

    by Burdell ( 228580 ) on Thursday August 13, 2015 @08:08AM (#50308325)

    They haven't awarded anything to "Georgia Tech University", because there is no such thing. Georgia Tech is an institute; the Georgia Institute Of Technology.

    • by fnj ( 64210 )

      I once saw a clueless idiot write "University of Boston" for "Boston University".

  • Variable types are interpreted dynamically during runtime in Perl, depending on how the variable is called.

    Sorry, I couldn't resist...
  • by Ed Tice ( 3732157 ) on Thursday August 13, 2015 @08:50AM (#50308591)
    I actually read the paper (okay, mod me down). Java and .Net have very strong runtime typing systems. C/C++ does not. Adding one is a bit tricky because there are certain things that are legal in C/C++ and not Java. Specifically, it's okay to cast between two classes that are non-polymorphic (unrelated from a type system perspective). Also C/C++ applications often have some additional performance requirements. They've created a runtime typing system and then a mechanism (probably a pre-processor) that can cause static_cast and dynamic_cast to instead use their casting mechanism. You turn it on for debug and off for release. We already have things like debug heaps to look for memory corruption at a small performance cost why not also have a debug type checking system. And, of course, since it gets switched off in production builds, it doesn't have the runtime performance costs. It's one of those things that is obvious as soon as somebody does it. Those are often some of the best advances as they can have a lot of impact quickly.
    • static_cast does not allow casting between unrelated pointer types, you need reinterpret_cast for that.
      reinterpret_cast is known to be dangerous and is therefore avoided.
      There is also the C-style cast, which is even more dangerous than reinterpret_cast.

    • Casting is a problem, true enough, but how do you exploit that? Is that a viable problem?
  • If security is their concern, they could also use an inherently safer language like e.g. Ada instead. Just saying...

  • by Anonymous Coward

    Ain't no such animal as "Georgia Tech University." There is only Georgia Tech or the Georgia Institute of Technology, or the University of Georgia.

  • OMFG! (Score:2, Informative)

    by jimpop ( 27817 ) *

    1) learn something that older people learned decades ago

    2) write document warning people, who ignored history..., of the dangers!!

    3) profit!

    • 1) learn something that older people learned decades ago

      2) write document warning people, who ignored history..., of the dangers!!

      3) profit!

      They also built a tool to check potentially-dangerous casts. One we haven't had before.

      • by jimpop ( 27817 ) *

        Many a tool builder has come along to build tools to overcome failures. Fuzzing, or whatever you call it, is just a poor man's method of finding errors (the real problem) in some code. Glorified greps.

        • Their tool isn't a fuzzer, it's a run-time cast checker -- to find the real error.
        • Re:OMFG! (Score:4, Informative)

          by Ed Tice ( 3732157 ) on Thursday August 13, 2015 @05:58PM (#50312731)
          Fuzzing and grepping are entirely different things. If your original post hadn't gotten modded up, I probably wouldn't even respond. Fuzzing is a mechanism where cleverly malformed data is sent to an application or even a piece of hardware to see how it responds. Things like an invalid message with a proper authentication code. It's a pretty effective form of testing. In this context your comment might as well be. "Testing your software is just a poor man's method of finding errors (the real problem) in some code. Glorified greps." Ideally we aren't writing defects and are bug-free before a testing cycle, but that rarely (if ever) happens. Even if there are no verification defects there may be validation concerns. Both this and fuzzing are *dynamic* tools. Grep is a static tool although I don't know how it could possibly be employed in finding all but the most trivial defects. There are sophisticated static tools out there as well. (See FindBugs for an open source example of one). But these have nothing in common with grep.
          • by jimpop ( 27817 ) *

            There is a vast difference between buggy code and poorly written code. The article and subject are about finding faults in poorly written code, which is something good programmers (and ones who are aware of a language's pitfalls and nuances) rarely produce. Testing is for finding bugs, rarely does testing involve analyzing code for purity.

            • I realize that you want to believe this and I hate to be the one to burst your bubble so to speak but the fact is that these types of defects exist in almost any non-trivial piece of software. However, rather than go back and forth, how about you offer up some code that you've written and we'll run some of the tools you so dislike. If your code comes out "clean," I'll concede the point. But I'm confident that won't happen. In any event these tools are still not glorified grep and it's not information th
              • by jimpop ( 27817 ) *

                I believe you are misconstruing what I've been saying. Tools are great, but they are no replacement for good solid code. Complex systems, or not, shouldn't contain the coding errors (they aren't bugs) that this and other fuzzing tools do find. Having, and awarding for such tools, leads, I believe, to an ecosystem of acceptability for poor coding. The correct avenue is to audit code and correct bad habits....but that takes deep knowledge of C/C++.

                • You keep saying things like "This and other fuzzing tools" even though it's been pointed out in this thread numerous times that the tool in the paper is not a fuzzing tool and it isn't even close. This tool is finding bugs, not coding errors. It's finding a situation where one object type is cast to another but at some point that cast has become incompatible but the compiler can't catch it. If the compiler can't catch it, it's unlikely that a human audit is going to do so. You would have to continuously
                  • by jimpop ( 27817 ) *

                    > You need to know the application domain and all parts of it.

                    I agree with that, 100%! I'm not doubting some of your statements, but you seem to be missing my main point. Forget fuzzing, type casting, tool sets, etc., I'm just arguing for purity in code as a better long term solution than post-processing object code.

  • plays an essential role in misusing polymorphism in C++

    Here, FTFY. Kids, if you cast, you are doing polymorphism wrong.

  • by msobkow ( 48369 ) on Thursday August 13, 2015 @11:51AM (#50310101) Homepage Journal

    If your interface "classes" don't define all the methods you need to access an object, your architecture is screwed up. If you have to do typecasting, the interface should provide a method which is used to identify the correct class/interface for casting.

    Casting without knowing what kind of object you're dealing with isn't a "bug" -- it's a shitty developer writing crap code who should be fired.

    • by msobkow ( 48369 )

      Note: "struct" overlays are another issue entirely, but even they should have a header field that lets you know how to cast the overlay.

  • with the language itself, or an issue that boils down to the coders, and how attentive they are to the vulnerabilities while they are producing the code for whatever they are working on?

    My thought is that it is the latter (that it boils down to the coders, and their attentiveness + planning out their work to avoid such issues, but that's just one opinion.
    • It's something of an "attractive nuisance" feature. It makes it easy to write bad code. There's a lot of those in C++, if less than there used to be.

      The problem is with downcasts, from superclasses to subclasses. If you use dynamic_cast, you get the null pointer for invalid casts, so if you test for that in your code everything's fine. (If you don't test in your code, you'll probably find out fairly fast anyway, since you'll be trying to dereference nullptr.) However, dynamic_cast is often too slow.

      • I see what you mean, and learned quite a bit from your post. I never considered that before. Been a while since I actually learned things from a conversation on Slashdot (versus bickering over mindless crap).

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...