Cracked Rear View: Programming, Security, Software Design

Even though there are multiple great libraries for for dealing with strings safely in C for both UNIX and Windows, developers in the industry seem to generally insist on using the unsafe family of C string functions, such as strcpy and sprintf. This family of functions has been known to cause all sorts of trouble with buffer boundaries for many, many years. Any university graduate that wrote a single line of C code should have had it forcefully taught that you should just not use these functions. The need for C is going to remain for systems programming and software where memory and execution speed are important. So, if the world is going to continue to develop software in C it should at least be done with security mind. There are no excuses for using strcpy at this point. With that out of the way it is time to move on to the main point of this article.

Why did I do this?

• Shared hosting environment, NO external Java or CFXs
• Different server environments, common denominator is CFMX 6.x
• Open implementation so that it may be peer reviewed
• The built in encrypt function is not discussed openly by Macromedia (CFMX 7 provides much better encryption options, but my common denominator is CFMX 6.x
• It was fun

The encryption algorithm is ARCFOUR. It is used in browser based SSL and in SSH to this day. It is known to be secure when used properly. I took into account all of the various weaknesses of the algorithm and made sure my code addressed those weaknesses. This is BSD licensed code so anyone who knows infosec can look at it and see if there are any weaknesses in my implementation. This allows us to have a pure CFML encryption option. This allows for every line of the encryption routines to be examined. The same options are available for the standard Java Cryptographic Extensions. Open implementation of encryption algorithms are essentially the best way to do it and ensure it is done right. Weaknesses can be discovered and fixed, instead of silently exploited.

Cracked Rear View is the personal web site of Jeremy Allen. I am married. I have 3 cats, 2 dogs, and 1 kid (son). I am a software security consultant for Foundstone, a Division of McAfee. I specialize in software security. A large part of my job is to review code to find security bugs. I see all sorts of fun and interesting things, including some interesting security bugs.

My work experience has mostly been with C/C++, Java, C#, PHP and ColdFusion. In my private time I love writing Python and C/C++. I am a published author; my book was on PHP 4.1 and I contributed to Mastering XML Premium Edition. I have been developing software commercially since 97. I have a special interest in software security  and software architecture where it applies to security. Software security is a dynamic and evolving field in the software world and it is fun to be a part of it. Above and beyond the specialized areas, I just enjoy software development in general. I enjoy looking deep into hard problems. I think implementing something like a binary search trie is fun, and if you do too you have come to the right place.