It's obvious that good software has to do things right. A word processor should turn your deathless prose into a neatly laid out, properly spelled document, while a web browser should take a url addressed to www.google.com and send out the right messages to elicit and display that web page. It's not so obvious -- even to programmers who should know better -- that good software needs to do much more than that: it needs to safely reject badly formed input.
It's relatively easy to write software that behaves as it should when it's presented with properly formed input. It's certainly easier to test if you don't try to input that which is obviously wrong. However, it's then easy to convince oneself that your software works - it does, but only in the lab. In reality, if you haven't tested for pathologically bad input data you're releasing a creation with no immune system into a world of mutant aggressors.
I found this out many years ago when I wrote PC network code -- a NetBIOS stack, to be precise. It was my first encounter with many of the concepts of networking, and thus very educational. Finding out that the textbook ISO/OSI seven layer model just didn't work with NetBIOS was a culture shock that to this day has left me cynical about top-down standardisation, One True Ways and other IT fundamentalism: finding out that I wasn't very good at writing network code was also enlightening.
However, after a few false starts I managed to get something that worked. You could find files across the network, open and close them, even execute them -- a point I gleefully demonstrated by persuading five workstations to play almost simultaneously one copy of the Monty Python theme tune done up in a little DOS executable. "Very good," said the boss, wincing slightly (Compaq Portable IIs were not known for their musicality). "But what happens if you ask it for an illegal file name?". "Er." I said. He tried it. It crashed. Silence fell, I went back to my code, and started to work through what might happen if it was fed bad data.
It was an epiphany. Just a few bytes wrong in a file name or a data structure, and my code would crash and burn, taking the operating system with it. Sometimes, it would drag a few files on the hard disk into oblivion as it fell cackling into the chasm. It was then that I learned about defensive programming.
It's hard work. You have to stop thinking in terms of 'Here is a document name. Document names are 64 characters long, maximum, and always finish with a zero. So I'll create a buffer of 64 characters and copy the name until I hit zero'. Instead, it's "I'll check each character as I get it and see whether it's allowable in document names. If there's no zero by position 64, I'll have to stop and raise an error. Now, how do I handle the error?". That's a lot more to design, implement and test -- but when you've done it, you'll have closed down an entire class of potential error.
Crashes are the least of your problems. These days, there are any number of people finding ways to force-feed active maliciousness into your system through a hole in the way it handles bad data, and unless you program defensively you'll be a soft target. Checking your defensiveness is the hardest problem: you won't have thought of all possible inputs, because you can't. One way is to check for the obvious ones - buffer overflows, bad pointers, memory corruption - and then try and throw as much pseudorandom nonsense at your program as possible, logging as you go - there's no point in triggering a bug if you can't reproduce it. Nonetheless, testing is as big a problem as design.
Microsoft understands this, because it got it wrong for so long. Experience is the best induction into defensive programming, that and a fierce determination to get it right. Microsoft can - must - afford to do stringent and exhaustive testing; the open source community can and must use its strengths to this end too. There is no reason good test methodologies and test suites can't be evolved: Zawelski's savage fluff generator has already proved its worth.
But the most important lesson to learn is to think, design and code defensively. Let's hope open source doesn't learn this the hard way.
Talkback
You're right: good software design needs to validate it's input and not just assume everything is happy. Even still, why is Internet Explorer's behavior "good"?
This browser behavior encourages sloppy web development. Would this type of behavior be acceptable in a compiler? Would you be willing to bet there are no bugs/unintentional side-effects in code that the compiler had to "interpret" for you because of a syntax error? What's more, would you consider it "good" that the compiler would not even *warn* you that it encountered unexpected input?
I'm not saying the behavior of the other browsers is better or worse. I am saying that *none* of their behaviors are correct. It would also seem that the W3C agrees with that position because all XHTML browsers are *supposed* to spit out an error when they encounter malformed pages. If not, then XHTML will suffer the same fate as HTML: browser bloat (which is one of the things XML/XHTML was designed to avoid).
Someone found a way to crash FireFox, What's the f**ken deal? Does that mean that IE is more robust or better? Rubbish & silly. you look like someone who enjoys sucking an egg. What a waste.
On a day when two new security vulnerabilities in IE have been discovered, it's a little galling to read this rubbish. Maybe if Microsoft spent less time bending HTML standards and more time on security their browser might be better than Firefox. I haven't found one website that I use regularly that crashes 0.9 of Firefox, and that's still a pre-release version. If I did then surely an email to the site admistrator pointing out the error would be welcomed.
Internet Explorer is on version 6 with several patches and it still needs more work.
I work daily with computers using various OS's and Browsers. The systems I touch are usually owned by businesses. These days, the bulk (80+%) of desktop PC's I see are Win98, 2K, XP. Some PC's I work with are brought in for repair. In our shop, 8 of 10 machines that come in the door have Browser related Pests, Trojans, BHO's. Many of these machines have serious problems. Occasionally reloading the PC is the only clean fix.
The trend I see is that people who use IE as a primary Browser, tend the have more security and reliability related problems. A substantial chunk of our revenue is related to fixing this issue today. This is a fairly recent problem, one I have seen bloom in the last year to a big part of what I do every day.
Those users I have convinced to try an alternative browser seem to me to stay cleaner!. In my personal PC use, I use Linux for a small group of servers (web, mail, etc) and for my desktop. I have a basic firewall installed, and automatically have updates downloaded and installed. I have personally (yet) had a virus, worm, or pest.
I can believe that the tests studied in the above article were well done. And I believe the results are probably right. However, today people are spending time and money to get problems caused by IE's embedded relationship with it's OS. Villains aren't sending out balls of malformed code, they are installing spy, porn, add, mail, malware.
IE may in fact be most "sturdy", but combine it with Windows in many typical situations, and you have a broken product. I'm sure one day it's possible that Linux and OSX will be as unreliable as Win-IE, but for now I will keep using Firefox, Konquorer, Mozilla, running on Linux/GNU. Unfortunately, at least for the near future I'll continue to make money from this unnecessary problem.
This article is silly and misleading. It reads as though these other browsers have more security related flaws than Internet Explorer, while nothing could be further from the truth. In his testing, this person found no problems that were exploitable in a security sense other than to make the browser crash (and calling even that a security flaw is rather a stretch). IE has plenty of security flaws that have nothing to do with malformed HTML. These browsers are all much lower security risks than IE (I don't know of a modern browser that's not).
Another point I wondered about is how IE reacts to this malformed HTML. Does it give an error message and refuse to display it? That would be the appropriate behavior. If it does not do this, I can't see how it can be said to be more secure.
IE has come out the clear LOSER!
What wasn't said, "It is unknown whether MSIE was affected by the malicious code because it gave no signs of problems."
The other browsers crashed when a problem came up. This helps prevent them from being attacked!
When IE has a problem, expect it to keep running, and when it finally does crash, it'll take your Operating System with it.
Yes. I reviewed the code and tested it on the named browsers and also on Konqueror and Safari.
They all fail fairly quick, but--curiously--in very uniform ways. It appears to me that this isn't a testament of many bugs, but rather all from one place--a common XML Parser, written in C. Even Konqueror and Safari based on QT (a C++ Toolkit) is actually the same C code wrapped in C++. And C code is notorious for buffer overflows, etc.
I just think everyone debugged their own code and trusted the common library for parsing content like: <tag field=value ...> So one bug turns up in every browser.
Yes. It looks bad. Very bad. But, it isn't something generalizable about all open source code. It's an isolated incident.
Matthew
How can this guy come out with something saying internet explorer is more secure than the other browsers, when internet explorer has been called "the least secure program ever written"? What a dumb-ass...
What this says to me is that IE is as slack as a... (censored) and ignores all web standards . This is nothing new. Netscape neveer displayed a form if there were no form tags. IE always has.
With software like that around, new programmers get the impression that standards are phooey and discipline flies out of the window,
It also displys why Microsoft software fails so much - how can anyone successfully carry out QA procedures when there are no benchmarks to keep to.
His sentence that talks about his software crashing and burning when writing a few lines of wrong code?
Ans: Learn to do it properly and use a debugger.
Some people, Sheesh!!
Mr. Goodwins, I think you should rewrite the thesis of your article. It's not browser SECURITY what was tested, but rather browser STABILITY to badly formed HTML.
I agree that any software needs to deal with bad input properly and should never crash, and I'm sure the OS developers will fix the problem(s)...
We, the OS community shouldn't start flame wars just because someone says some proprietary software is better at something. What we need to do is help to improve OS software by using it. It's just a matter of time, in my opinion, that OS will surpass most proprietary software.
Just my 2 cents.
Update from BUGTRAQ:
http://www.securityfocus.com/archive/1/379207/2004-10-24/2004-10-30/2
For a complete overview:
http://www.securityfocus.com/archive/1/379356/2004-10-24/2004-10-30/1