Bugtraq mailing list archives
Re: EMERGENCY: new remote root exploit in UW imapd
From: djb () CR YP TO (D. J. Bernstein)
Date: Wed, 29 Jul 1998 09:50:48 -0000
Here's an example of the Dijkstra phenomenon. Say you're auditing a system for security, and you bump into a call to accounting(). You search for the definition of accounting(), and find that it's a short routine that starts by calling logwtmp(). You growl at the screen, and search for logwtmp(), and eventually find that it's a ten-line routine in libutil. Now you check that the code is secure. ``That was a tremendous waste of time,'' you say. ``I was completely unproductive while I was looking for these dinky little accounting() and logwtmp() functions. I could have used that time to read more code!'' You continue your audit. You bump into logwtmp() again, and check it again. Then you see accounting() again, which leads you to logwtmp()... but this time you remember what it does, and you don't have to read it. After this happens several times, you finally see the light. ``Aha. Modularization saved me time after all,'' you say. ``The bottom line is that there's less code for me to read. If the library code had been copied rather than reused, I would have had to check every copy. I would have read more code but not accomplished as much.'' der Mouse writes:
modular code usually ends up being slower
There are three misconceptions here. Misconception #1 is that modularization means moving common code into subroutines. In fact, modularization need not have any effect on the compiled program, thanks to macros, inline code, etc. Subroutines are convenient but not required. Misconception #2 is that moving common code into subroutines imposes a speed penalty. In fact, procedure-call overhead is wiped out by cache effects in any subroutine that does more than a little bit of work. Misconception #3 is that speed is something programmers should consider along with security, verifiability, etc. In fact, the computer spends almost all of its time executing an amazingly small amount of code. For most programmers, speed simply doesn't matter. ---Dan Binary qmail distributions are allowed! http://pobox.com/~djb/qmail/dist.html
Current thread:
- Re: EMERGENCY: new remote root exploit in UW imapd, (continued)
- Re: EMERGENCY: new remote root exploit in UW imapd Adam Shostack (Jul 23)
- Security Bulletins Digest vtmue () HEAVEN RUF UNI-FREIBURG DE (Jul 23)
- Apache 1.3.1 Released! Aleph One (Jul 23)
- Re: EMERGENCY: new remote root exploit in UW imapd Alex Le Heux (Jul 22)
- Re: EMERGENCY: new remote root exploit in UW imapd D. J. Bernstein (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd der Mouse (Jul 28)
- Object tag crashes Internet Explorer 4.0 Georgi Guninski (Jul 28)
- Re: Object tag crashes Internet Explorer 4.0 Matt Rose (Jul 29)
- Re: EMERGENCY: new remote root exploit in UW imapd David Schwartz (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 29)
- Object tag crashes Internet Explorer 4.0 Georgi Guninski (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd D. J. Bernstein (Jul 29)
- Re: EMERGENCY: new remote root exploit in UW imapd Bill Royds (Jul 29)