Re: FWTK and smap/smapd

[Brian Hatch <firewall-wizards () ifokr org>]

> Security critical code shouldn't be commented. :) It should either be
> sufficiently obvious or the auditor should be sufficiently skilled that
> comments aren't needed -- besides they just serve as distractions. :)
>
> If you don't have comments, your comments and your code are never
> in disagreement!!! :)

However the one thing that is usually lacking in code is
the assumptions made by the author.  If those assumptions
turn out to be false (later versions of a protocol change
expected values, for example) then it's a lot easy to
re-examine code by seeing how those assumptions affect the
original code.

I've too often seen cases where someone writes code to be
run as a normal user, and expect that the user could try
buffer overflows, bad arguments, etc, and break the program,
but then they'd only get their own access back anyway.  Then
along comes someone else and wants to make it setuid, daemonize
it, etc.  If there's already a list of assumptions about where
the program can fail, it's a lot easier for this person to secure
it in the new extra-privileged environment.

(You could argue that they should start from scratch, however, and
you'd be right.)

Comments about code that is not bad in the current version but
could be if other dependencies or situations differ is *always*
a good idea.


--
Brian Hatch                  "Are you expected?"
   Systems and               "No.  Dreaded."
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

Attachment: _bin
Description: