flat assembler
Message board for the users of flat assembler.

Index > MenuetOS > MenuetOS developers, how do you make your code secure?

Author
Thread Post new topic Reply to topic
wean_irdeh



Joined: 12 Sep 2018
Posts: 12
wean_irdeh 13 Sep 2018, 06:16
Hi devs, I am astonished by your great works! It is such a large scale fasm system, how do you ensure vulnerability won't slip in your code? Thanks in advance

Also what's your opinion on security mitigation available in C compiler like stack smashing protection, W^X memory protection, and so on
Post 13 Sep 2018, 06:16
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 13 Sep 2018, 07:52
I’m not a MenuetOS developer but since my thesis is related to security vulnerabilities I’ll express my view towards tricks like having some elements in the stack used to watch for buffer overruns at runtime.

Since vulnerability is a property of a program it is not practical to look for such bugs at runtime. You can’t really do much except shutting down if any of these tricks notices a vulnerability.
Post 13 Sep 2018, 07:52
View user's profile Send private message Visit poster's website Reply with quote
wean_irdeh



Joined: 12 Sep 2018
Posts: 12
wean_irdeh 13 Sep 2018, 10:44
DimonSoft wrote:
...


Thank you for the answer! How about a program that could exploit vulnerability in the kernel?
Post 13 Sep 2018, 10:44
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 13 Sep 2018, 11:36
wean_irdeh wrote:
DimonSoft wrote:
...


Thank you for the answer! How about a program that could exploit vulnerability in the kernel?

What about it? Vulnerability in the kernel is a property of the kernel and can only be effectively detected and fixed before the kernel runs.
Post 13 Sep 2018, 11:36
View user's profile Send private message Visit poster's website Reply with quote
wean_irdeh



Joined: 12 Sep 2018
Posts: 12
wean_irdeh 13 Sep 2018, 11:53
DimonSoft wrote:
...


Thanks! Now I have adequate answer
Post 13 Sep 2018, 11:53
View user's profile Send private message Reply with quote
Ville



Joined: 17 Jun 2003
Posts: 284
Ville 13 Sep 2018, 12:20
In kernel, by making sure that a function behaves in a known manner with all the input parameters, whether the result is the wanted functionality or an errormessage. This includes accesss timeouts, parameter limit checks, avoiding memory access conflicts with semaphores (mutex) etc. The same practices which apply to other programming languages.
Post 13 Sep 2018, 12:20
View user's profile Send private message Reply with quote
wean_irdeh



Joined: 12 Sep 2018
Posts: 12
wean_irdeh 13 Sep 2018, 15:33
Ville wrote:
...


Thank you for your answer! If I'm not mistaken you are the main developer of MenuetOS, right? How developing things in asm compared to C? Because I heard C isn't low level anymore due to requiring a huge compiler to perform a lot of optimization for its performance to be close to handwritten asm as possible (link: https://queue.acm.org/detail.cfm?id=3212479)
Post 13 Sep 2018, 15:33
View user's profile Send private message Reply with quote
Ville



Joined: 17 Jun 2003
Posts: 284
Ville 13 Sep 2018, 20:35
After a while, you start to think in the terms of the programming language you are using. And as long as the programming environment supports the language with easy API, then programming (in asm) is quite simple. So today, asm for me is simply one programming language among others.
Post 13 Sep 2018, 20:35
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2023, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.