Kingdom of the Future

Microsoft has an excellent security culture. Case in point: Michael Howard posted an in-depth explanation of the latest Internet Explorer bug including the key piece of code involved. Read it. Most organizations go to extraordinary lengths to bury a failure as quickly as possible, but Microsoft seems to understand that they have to really understand their failures if they hope to avoid repeating them.

But the big news here is the bug itself. It was use-after-free caused by a thread safety problem. C++ failed twice in one fell swoop: first, the programmer was forced to do direct memory management, and surprise surprise, eventually an object gets freed while there's still a pointer to it. Second, the use-after-free allowed an attacker to execute arbitrary code. That's a pretty high price to pay for a mistake in code that wasn't supposed to have anything to do with pulling in outside instructions, but that's the way it goes in C++.

But even with a better programming language, thread safety is a tough problem. If you're writing in Java or C# or Ruby a thread safety problem probably won't cause you to end up with a vulnerability that allows arbitrary code execution, but you might inadvertently allow one user to see another user's data, and that's plenty bad. Back in 2005, Katrina Tsipenyuk, Gary McGraw, and I wrote a paper titled Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors. We lumped this kind of race condition together with errors caused by distributed computation and called them problems related to "time and state". In the presentations I gave on the paper, I always referred to Time and State as the kingdom of the future, because we're only headed for more CPU cores, more threads, and more interconnected systems, and that means more opportunities for getting out of sync.