From mboxrd@z Thu Jan  1 00:00:00 1970
Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id RAA01504; Sat, 28 Feb 2004 17:44:16 +0100 (MET)
Received: from nez-perce.inria.fr (nez-perce.inria.fr [192.93.2.78]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id RAA02616 for <caml-list@pauillac.inria.fr>; Sat, 28 Feb 2004 17:44:15 +0100 (MET)
Received: from venus.is.s.u-tokyo.ac.jp (venus.is.s.u-tokyo.ac.jp [133.11.12.9])
	by nez-perce.inria.fr (8.12.10/8.12.10) with ESMTP id i1SGiIIq013053
	for <caml-list@inria.fr>; Sat, 28 Feb 2004 17:44:20 +0100
Received: from tuba.is.s.u-tokyo.ac.jp (tuba.is.s.u-tokyo.ac.jp [133.11.12.102])
	by venus.is.s.u-tokyo.ac.jp (8.11.6p3/3.7W) with ESMTP id i1SGiAP28316
	for <caml-list@inria.fr>; Sun, 29 Feb 2004 01:44:10 +0900 (JST)
Received: (from oiwa@localhost)
	by tuba.is.s.u-tokyo.ac.jp (8.11.6+Sun/3.7W) id i1SGiAJ02340;
	Sun, 29 Feb 2004 01:44:10 +0900 (JST)
X-Authentication-Warning: tuba.is.s.u-tokyo.ac.jp: oiwa set sender to oiwa@yl.is.s.u-tokyo.ac.jp using -f
To: caml-list@inria.fr
Subject: Re: [Caml-list] How to secure an OCaml server
References: <87llmnme9b.fsf@linux-france.org>
MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charset=US-ASCII
From: Yutaka OIWA <oiwa@yl.is.s.u-tokyo.ac.jp>
Date: Sun, 29 Feb 2004 01:44:10 +0900
In-Reply-To: <87llmnme9b.fsf@linux-france.org>
 (David MENTRE's message of "Sat, 28 Feb 2004 16:10:08 +0100")
Message-ID: <vfioerj9msl.fsf@tuba.is.s.u-tokyo.ac.jp>
User-Agent: T-gnus/6.15.6 (based on Oort Gnus v0.06) (revision 01)
 SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=)
 APEL/10.2 Emacs/20.7 (sparc-sun-solaris2.8) MULE/4.0 (HANANOEN)
X-Miltered: at nez-perce by Joe's j-chkmail ("http://j-chkmail.ensmp.fr")!
X-Loop: caml-list@inria.fr
X-Spam: no; 0.00; caml-list:01 yutaka:01 oiwa:01 oiwa:01 u-tokyo:01 2004:99 dmentre:01 buffer:01 dangling:01 pointers:01 catastrophe:01 runtime:01 insecure:01 improper:01 decoding:01 
Sender: owner-caml-list@pauillac.inria.fr
Precedence: bulk

Hello David, 

>> On Sat, 28 Feb 2004 16:10:08 +0100, David MENTRE <dmentre@linux-france.org> said:

David> Hello,
David> I'm currently writing a server in Objective Caml. This server is using a
David> specific protocol (in XDR format) over TCP sockets.

David> I would like to secure my server against usual attacks (buffer overflow,
David> etc.).

David> While there is plenty of doc for C and C++, there is nothing for
David> OCaml. At what kind of issues should I look to avoid attacks? Has
David> anybody written a documentation or a tool to secure OCaml applications?

Programming in Objective Caml (and other "safe languages") is
relatively safe.  However, in my opinion, it is wise to care about
almost same kind of safety issues as those for C language, except
dangling pointers.

Unlike C and C++, Objective Caml has strong builtin protection for
array boundary overflow.  You can expect that inputs which usually
cause arbitrary code execution (like viruses and worms) do not cause
such catastrophe, but only make your programs report runtime exception
and then halt.  However, you should not rely on this feature in
production code, especially if you are writing your own decoders or
encoders for existing protocols.  If an encoded data packet contains
both secure and insecure data, improper handling of data length fields
in a decoding routine may cause other security problems such as data
leakage or memory exhaustion.

Dangling pointers never appear in Objective Caml program; the garbage
collector frees only unused data, unlike free() in C and delete
operator in C++. It also prevents memory leakage in many cases.

Other security issues such as sanitizing of user-input data like
username, pathname, HTML fragment, etc. should be handled carefully in
the same manner as in other languages.  The things you referred as
"plenty of doc" may help you.

In general, effective use of high-level language features such as
builtin string, list type, and user-defined datatype may reduce
cumbersome needs for boundary checking outside codec routines.  The
garbage collection helps this style of programming, since with GC
you can use those high-level data structures without fearing about
memory leakage or dangling pointers.

-- 
Yutaka Oiwa              Yonezawa Lab., Dept. of Computer Science,
      Graduate School of Information Sci. & Tech., Univ. of Tokyo.
                    <oiwa@yl.is.s.u-tokyo.ac.jp>, <yutaka@oiwa.jp>
PGP fingerprint = C9 8D 5C B8 86 ED D8 07  EA 59 34 D8 F4 65 53 61

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners