Re: FWTK and smap/smapd

[Joseph S D Yao <jsdy () center osis gov>]

On Thu, Jul 18, 2002 at 05:46:38PM -0400, Marcus J. Ranum wrote:
> Joseph S D Yao wrote:
> > However, my major contribution to the consolidated patch - besides
> > removing a lot of bugs - was to put in a lot of comments.  "It is
> > obvious" that very little code is self-explanatory.  ;-)
>
> Security critical code shouldn't be commented. :) It should either be
> sufficiently obvious or the auditor should be sufficiently skilled that
> comments aren't needed -- besides they just serve as distractions. :)
>
> If you don't have comments, your comments and your code are never
> in disagreement!!! :)

That attitude was kind of obvious throughout FWTK, if you don't mind
my saying so.  ;-)  But so were some errors, once I wrote down what the
code "should be" [IMHO] doing.

Here's a shocker: ALL CODE IS CORRECT!

Why do I say that?  Because all code does what it says it does!

But "it is obvious" to us that some code is incorrect - that is, it
doesn't do ... something.  What is that something?  It is what the code
"should be" doing.  This is culled from the RFCs, from the desires of
the Elders, from the contract given us by Those Who Pay Our Bills.

And I write this up in the commentary, and set it next to the code.

NOW, we have something that could be incorrect!  It could be incorrect,
because the individual documented actions inside the function do not do
what the commentary at the beginning of the function says that it does
- the algorithm is incorrect.  Or, it could be incorrect because the
code next to the commentary inside the function does not do what that
function says - the algorithm is correct, but the implementation is
wrong.  Or, it could be incorrect because the possible allowed inputs
are much more broad than the correctly implemented algorithm can
correctly handle - the interface is wrong, perhaps causing buffer
overflows.  It can be incorrect, in short, because now there can be an
internal contradiction between one expression of the program - the
commentary - and another - the code.

This is a gross oversimplification of a much more complex taxonomy of
errors, but I hope that I have caused you to consider that without
commentary providing what you might call the specifications or design,
or the social contract between the programmer and the user, there is
nothing against which you can hold a piece of code and say, "THIS IS
WRONG!"  Code is amoral; it has an inherently situational ethic; such
that even the grossest of buffer overflows can only lead us to conclude
that the code does it, therefore the code does it.  We must provide and
communicate the moral absolutes against which the code is measured
right or wrong.  And we can communicate this on dead trees, or in
living commentary.

Eh?  ;-)

-- 
Joe Yao                         jsdy () center osis gov - Joseph S. D. Yao
OSIS Center Systems Support                                     EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards