On Thu, 7 Mar 2024 at 23:29, Rand Deeb <rand.sec96@xxxxxxxxx> wrote: > > > On Fri, Mar 8, 2024 at 12:39 AM Michael Büsch <m@xxxxxxx> wrote: > > > The point is that leaving them in is defensive programming against future changes > > or against possible misunderstandings of the situation. > > Dear Michael, I understand your point. It's essential to consider defensive > programming principles to anticipate and mitigate potential issues in the > future. However, it's also crucial to strike a balance and not overburden > every function with excessive checks. It's about adopting a mindset of > anticipating potential problems while also maintaining code clarity and > efficiency. > > > > I understand and respect your point of view as software engineer but it's a > > > matter of design problems which is not our case here. > > > > No, it very well is. > > I'm talking about your phrase "Not having these checks is a big part of why > security sucks in today's software." > I think it's a matter of design problem, when you don't have a good design > of course you'll need to add so many checks everywhere. > Let me explain my point of view by example, > > // Good design Note: I am not so sure that this is Good design. > CHECK(x){ > if x != null && x is a number > return true; > else return false; > } > MULTIPLY(a, b){ > return a*b; > } > SUM(a, b){ > return a+b; > } > .... > MAIN(){ > // input a, b > CHECK(a); > CHECK(b); > // now do the operations > SUM(a, b) > MULTIPLY(a, b) > } > > // Bad design > SUM(x, y){ > if x != null && x is a number > return x+y; > } > MULTIPLY(x, y){ > if x != null && x is a number > return x*y; > } > ... > The reason it is probably not a good design is what comes later. Another developer comes along and says I see a nice SUM(a, b); function that I would like to re-use in my new function I am adding. But that new developer introduces a bug whereby they have implemented their CHECK(a) wrongly which results in SUM(a, b) now being a security exploit point because of some very subtle bug in CHECK(a) that no one noticed initially. After a while, we might have ten functions that all re-use SUM(a, b) at which point it becomes too time consuming for someone to check all ten functions don't have bugs in their CHECK(a) steps. It is always easier for the safety checks to be done as close as possible to the potential exploit point (e.g. NULL pointer dereference) so that it catches all future cases of re-use of the function. For example, there exist today zero day exploits in the Linux wireless code that is due to the absence of these checks being done at the exploit point. The biggest problem with all this, is if I sutily (without wishing to give away that it is to fix a zero day exploit) submitted a patch to do an extra check in SUM(a, b) that I know prevents a zero day exploit, my patch would be rejected.