WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Code Complexity vs. Security

From: "Michael Silk" <michaels () phg com au>
Date: Mon, 26 Jul 2004 09:19:29 +1000
Hi guys,

        I would suggest that the size (loc or bytes) of the code 
        could infact *reduce* complexity of the application.

        Consider this little sample of code (java):
        -----------------------------------------------------------
        while(tmp > (k / 10)){
                result[size--] = NUM_WORDS[ ((tmp % k) / (k / 10)) ];
                k *= 10;
        }
        -----------------------------------------------------------
        

        There is a heap of stuff packed into one line there, and
        infact there is a small error that would result in this
        program returning 10 times less the amount of money you
        are supposed to get.

        If the snippet was expanded to:
        ----------------------------------------------------------
        while(tmp > (k / 10)){
                size = size - 1;

                int numIndex = (tmp % k) / (k / 10);
                result[size] = NUM_WORDS[numIndex];

                k = k * 10;
        }
        ----------------------------------------------------------

        The problem goes away.

        I would suggest that almost all programming errors (and
        hence security problems) come from some programmer attempting
        to be "smart" and reduce the size of his/her code.

        So to suggest that the second snippet is more "complex" and
        "prone to security bugs" then the first would seem to be
        completely incorrect.

--Michael


-----Original Message-----
From: Mark Curphey [mailto:mark () curphey com]
Sent: Sunday, 25 July 2004 11:01 PM
To: 'David King'; webappsec () securityfocus com
Subject: RE: Code Complexity vs. Security


Dave,

Thanks. I just read that. 

Java bytecode and MS IL make KLOCs (thousand lines of code) a somewhat
interesting metric when used alone IMHO. I was thinking I could write a
class with a switch statement that could skew the bugs per KLOC compared to
if I wrote it using a different technique. It was actually this that lead me
to thinking about complexity in the wider sense of the term rather than just
size. I guess you could say that size = complexity and I agree but in this
case I was thinking about this type of definition
http://www.sei.cmu.edu/str/indexes/glossary/complexity.html

I was trying to see if any studies had been done correlating software
security quality with complexity and security by looking at things like;

the number of methods per class 
number of attributes and operations on a class

CMU has a maintainability index and cyclomatic complexity
http://www.sei.cmu.edu/str/descriptions/cyclomatic_body.html that looks like
the sort of comparator I was looking for. 

Interesting study I think ;-)

-----Original Message-----
From: David King [mailto:davewking () gmail com] 
Sent: Sunday, July 25, 2004 1:59 AM
To: webappsec () securityfocus com
Subject: Re: Code Complexity vs. Security

I remember there was a section on this near the beginning of the book
"Exploiting Software: How to Break Code" (Greg Hoglund and Gary McGraw).  If
I remember right they site a couple of studies and they seem to believe the
number of lines of code is the one of the best indicators of the number of
bugs the software will have.

Dave King
www.thesecure.net

On Sat, 24 Jul 2004 20:36:07 -0600, David King <davewking () gmail com> wrote:

I remember in the book "Exploiting Software: How to Break Code" (Greg 
Hoglund and Gary McGraw) there was a section on this near the 
beginning of the book.  If I remember right they site a couple of 
studies and they seem to believe the number of lines of code is the 
one of the best indicators of the number of bugs the software will 
have.

Dave King
www.thesecure.net



On Fri, 23 Jul 2004 21:25:20 +0000, Gunnar Peterson 
<gunnar () arctecgroup net> wrote:

Dan Geer's Blackhat Windows keynote talk last January charted lines 
of code against vulnerabilities over time. LOC is not complexity per 
se, but it is an indicator.



Quoting Mark Curphey <mark () curphey com>:


Has anyone seen any good studies that analytically compare the 
security quality of code to code complexity ?








This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.
Previous By Date Next
Previous By Thread Next

Current thread: