I’m An Unsafe Coder November 29, 2008Posted by gordonwatts in computers.
I’m finishing up a string of three owl shifts here at DZERO. One o the things I’m trying to accomplish is some minor improvements to the AI system that monitors DZERO’s data acquisition. Its job is to look for problems, and if it recognizes one, it attempts to fix it or, at the very least, tell us humans on shift how to fix it. I suppose it is more of an expert system than AI.
The last time this code underwent any real work was… well, years ago. The dark ages, actually. The code is cross-platform. Though it runs on Linux systems, I did most of the development work on a Windows system. For these minor upgrades I’m also building it on a Windows system.
The problem is the development tools from Microsoft. As you might guess, since I last built this thing they have done more than evolved! The biggest change, of course, is Microsoft got religion about security. This is even baked into their development tools. So when I build the AI system now I get 100’s of warnings of unsafe coding practices. I’d say 90% of them are great fodder for a buffer overrun exploit – a type of programming exploit that has caused millions of computers to be owned!
Of course, I don’t care. The AI system operates behind a firewall. Even though I know everything there is to know about this system (well, mostly…) there is no way for me to get at it when I’m offsite unless I am fully authenticated and using secure communication protocols. So, this is mostly a pain in the butt for me.
Well… not exactly.
Looking at a few of these closely I see that in many cases I am building strings dynamically and then copying them into fixed length buffers. The string building is dynamic, and I never check to make sure the length of the string is less than the buffer it is being copied into. Now, this can’t be that the dynamic string is longer than the buffer often: this AI program typically runs for weeks at a time. But… you know… now that I think about it and look back at the log files… every now and then it just stops. I’ve never been able to track down why. I wonder if it is something like this?
I guess these things are not only security problems (which I don’t care about) but perhaps are also bugs (which I do care about). Oh well, I guess I’m going to have to fix all of them. Darn.