Re: Validating a Function Address

Michael C <nospam@xxxxxxxxxx> schrieb im Beitrag
<OxZqGNZHHHA.1248@xxxxxxxxxxxxxxxxxxxx>...
I think you're going too far with checks and will get odd side effects.
You'd need to check it every time you called the function pointer so will

get a reduction in performance.

You can't go too far with security checks. AFAIK only VC 6.0 has some
compiler switches by which some security checks are added. IMHO the good
performance of non-.NET applications mainly is based on a complete lack of
any security checkings. If these apps would implement the security checks
necessary they would be much slower - like .NET apps.

If you do happen to find a bad pointer then
your app will start to malfunction anyway which might cause other odd
side
effects.

No, not in any case. What e.g. about a pointer to a function in a PlugIn
DLL? If the code pointed to isn't available any longer this doesn't mean
that the app can't run any longer.

Extra testing would be required to check for these side effects as
they might cause loss of data. The general thinking I believe is if you
get
something as serious as an invalid function pointer then your app should
terminate as something is seriously wrong and continuing might cause a
loss
of data.

I can't see how this can be an argument against always checking the
pointers as far as possible.

--
----------------------------------------------------------------------
THORSTEN ALBERS Universität Freiburg
albers@
uni-freiburg.de
----------------------------------------------------------------------

.

Relevant Pages

  • Re: Validating a Function Address
    ... compiler switches by which some security checks are added. ... necessary they would be much slower - like .NET apps. ... If you check the pointer then you need to be prepared to do the extra work ...
    (microsoft.public.vb.winapi)
  • Re: Are bad developer libraries the problem with M$ software?
    ... rarely poeple on security lists. ... If you want to add language specific content to the OWASP Guide feel ... > I think that most on the list would agree that, overall, most web apps are ... > programmers when they haven't been offered a clue. ...
    (SecProg)
  • Re: Vista security
    ... But trusting user input is a good way to throw security out ... user and restricting apps only because it is the user that is limited. ... user go and alter system files if they so feel, ...
    (comp.lang.misc)
  • [NT] Microsoft Publisher 2007 Arbitrary Pointer Dereference (MS07-037)
    ... Get your security news from a reliable source. ... Microsoft Publisher 2007 Arbitrary Pointer Dereference ... PUBCONV.DLL included with Microsoft's Publisher ... The vulnerability affecting Publisher 2007 is a two stage pointer ...
    (Securiteam)
  • Some Noob Questions
    ... For instance, IIRC, the mozilla projects are written in C++ - although the addons are generally done in Java. ... Security is an issue - would like to write secure code, of course - would J2EE be suitable for these sort of apps? ... What I want, basically, is the best language for writing networking apps, with an eye toward security. ...
    (comp.lang.java.programmer)