Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]

To: Darren Reed <avalon@xxxxxxxxxxxxxxxxxxx>
Subject: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
From: Ronald Chmara <ron@xxxxxxxxx>
Date: Tue, 02 Jan 2007 21:16:12 -0800
Cc: Jim@xxxxxxxxxxxx (Jim Harrison), bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200701021837.l02IbJiO006099@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200701021837.l02IbJiO006099@xxxxxxxxxxxxxxxxxxx>

On Jan 2, 2007, at 10:37 AM, Darren Reed wrote:

In some mail from Jim Harrison, sie said:

Again; I agree with and fully support the effort.  What I'm trying to
point out is the literal impossibility of actually achieving "genuine
security" in either our code or the languages it's written in.

Well given that the ultimate root of any invention is going to be
human, you're saying "genuine security" is impossible.

"Genuine Security" is a marketing term (a misleading one, at that). Aprogramming language without security risks is pretty much useless. Acapable web programming language without security risks is darnednear impossible.

I'm quite confident that someone could develop a very secure
interpreted language.  It might not do a lot, but it could easily
be done (even if only to prove you wrong) - if one doesn't already
exist.  I could probably even prove a case with /bin/sh.

Sorry, /bin/sh needs read access to /etc/passwd for uname checks, andthus, allows for information disclosure.

Hm.

LOGO is pretty safe to use. I'm not sure how much you can do with itanymore. You might be able to draw web pages.... really.... slowly.....

The problem we have right now is that the language commonly used for
dynamic web pages on non-Microsoft platforms is PHP and that this has
not been engineered *for security*.

PHP was engineered with the power (and responsibilities) of C. Itallows for on-the-fly database administration, file access at thelevel of permission given to the web server process, and input/outputat the level of raw data streams.

PHP is not a web "scripting" language, so much as a scriptinginterface to raw binary libraries on the disk, and raw machineresources. Thus, if an admin wants to build a PHP program toadminister a massive DB cluster at the CLUI level, they can. If theywant to run the world's largest online encyclopedia, they can.


They can also write an address book.

The goal of a language such as PHP should be to make it possible
to do what is required without the person using it needing to know
anything about security or secure programming practices.

I think you might be a tad confused about the goals of PHP, or hopingthat their goals match yours.

"PHP, which stands for "PHP: Hypertext Preprocessor" is a widely-usedOpen Source general-purpose scripting language that is especiallysuited for Web development and can be embedded into HTML. Its syntaxdraws upon C, Java, and Perl, and is easy to learn. The main goal ofthe language is to allow web developers to write dynamicallygenerated webpages quickly, but you can do much more with PHP."

Note: "web developers", not "bored college students who tend to putSQL arguments into a GET string" or "oops, I didn't bother to checkmy args because the bong distracted me".

Just because it's easy to learn how to use a gun does *not* givepeople license to shoot themselves in the foot and then complain thatthe gun was "too easy to use".

Just as
people using perl generally don't need to worry about buffer
overflows,

Er, what? As soon as a perl user "glues" into an external library,they better start to worry about such things, or expect to get a pinkslip.

why should people using PHP need to worry about SQL
escapes and filepath issues?


Let us entertain your idea.

Let us imagine a language that is near useless for databaseadministration, because all of the "dangerous" statements to droptables, or bulk update data, are removed.Let us imagine a language where every "dangerous" file path isremoved, and thus, renders the language useless for any operationthat traverses a file path.Let us imagine a language that only allows for limited looping, so itcannot suck too much CPU.Let us imagine a language where all data is "auto-sanitized", so itcannot handle complex binary streams.


PHP is *not*, and *never has been*, this language.

Perhaps, though, there is such a need for such a language that it canbe developed...

...but I wouldn't use it, and neither would most of the people whoneed powerful code tools. I suggest you study the last 10 years of"web languages", it's a veritable highway of death of similarintentions, and dead-ends.


-Bop

Follow-Ups:
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
  - From: Jim Manico

References:
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
  - From: Darren Reed

Prev by Date: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Next by Date: Re: [WEB SECURITY] RE: Universal PDF XSS After Party(posible solution)
Previous by thread: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Next by thread: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Index(es):
- Date
- Thread