WebApp Sec mailing list archives
RE: Code Complexity vs. Security
From: "Michael Silk" <michaels () phg com au>
Date: Mon, 26 Jul 2004 09:19:29 +1000
Hi guys, I would suggest that the size (loc or bytes) of the code could infact *reduce* complexity of the application. Consider this little sample of code (java): ----------------------------------------------------------- while(tmp > (k / 10)){ result[size--] = NUM_WORDS[ ((tmp % k) / (k / 10)) ]; k *= 10; } ----------------------------------------------------------- There is a heap of stuff packed into one line there, and infact there is a small error that would result in this program returning 10 times less the amount of money you are supposed to get. If the snippet was expanded to: ---------------------------------------------------------- while(tmp > (k / 10)){ size = size - 1; int numIndex = (tmp % k) / (k / 10); result[size] = NUM_WORDS[numIndex]; k = k * 10; } ---------------------------------------------------------- The problem goes away. I would suggest that almost all programming errors (and hence security problems) come from some programmer attempting to be "smart" and reduce the size of his/her code. So to suggest that the second snippet is more "complex" and "prone to security bugs" then the first would seem to be completely incorrect. --Michael -----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: Sunday, 25 July 2004 11:01 PM To: 'David King'; webappsec () securityfocus com Subject: RE: Code Complexity vs. Security Dave, Thanks. I just read that. Java bytecode and MS IL make KLOCs (thousand lines of code) a somewhat interesting metric when used alone IMHO. I was thinking I could write a class with a switch statement that could skew the bugs per KLOC compared to if I wrote it using a different technique. It was actually this that lead me to thinking about complexity in the wider sense of the term rather than just size. I guess you could say that size = complexity and I agree but in this case I was thinking about this type of definition http://www.sei.cmu.edu/str/indexes/glossary/complexity.html I was trying to see if any studies had been done correlating software security quality with complexity and security by looking at things like; the number of methods per class number of attributes and operations on a class CMU has a maintainability index and cyclomatic complexity http://www.sei.cmu.edu/str/descriptions/cyclomatic_body.html that looks like the sort of comparator I was looking for. Interesting study I think ;-) -----Original Message----- From: David King [mailto:davewking () gmail com] Sent: Sunday, July 25, 2004 1:59 AM To: webappsec () securityfocus com Subject: Re: Code Complexity vs. Security I remember there was a section on this near the beginning of the book "Exploiting Software: How to Break Code" (Greg Hoglund and Gary McGraw). If I remember right they site a couple of studies and they seem to believe the number of lines of code is the one of the best indicators of the number of bugs the software will have. Dave King www.thesecure.net On Sat, 24 Jul 2004 20:36:07 -0600, David King <davewking () gmail com> wrote:
I remember in the book "Exploiting Software: How to Break Code" (Greg Hoglund and Gary McGraw) there was a section on this near the beginning of the book. If I remember right they site a couple of studies and they seem to believe the number of lines of code is the one of the best indicators of the number of bugs the software will have. Dave King www.thesecure.net On Fri, 23 Jul 2004 21:25:20 +0000, Gunnar Peterson <gunnar () arctecgroup net> wrote:Dan Geer's Blackhat Windows keynote talk last January charted lines of code against vulnerabilities over time. LOC is not complexity per se, but it is an indicator. Quoting Mark Curphey <mark () curphey com>:Has anyone seen any good studies that analytically compare the security quality of code to code complexity ?
This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.
Current thread:
- Code Complexity vs. Security Mark Curphey (Jul 23)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- Message not available
- Re: Code Complexity vs. Security David King (Jul 25)
- Re: Code Complexity vs. Security Suha Demir CAN (Jul 25)
- Re: Code Complexity vs. Security athena (Jul 26)
- Re: Code Complexity vs. Security Ed Moyle (Jul 26)
- Message not available
- RE: Code Complexity vs. Security Mark Curphey (Jul 25)
- Re: Code Complexity vs. Security Adam Shostack (Jul 25)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- <Possible follow-ups>
- RE: Code Complexity vs. Security Michael Silk (Jul 25)
- Re: Code Complexity vs. Security Skip Carter (Jul 26)
- RE: Code Complexity vs. Security Wolf, Yonah (Jul 26)
- RE: Code Complexity vs. Security Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)
- RE: Code Complexity vs. Security Stan Guzik (Jul 27)
- Re: Code Complexity vs. Security Martin Mačok (Jul 28)