Code re-use

Discussion topics, Linux related - not requests for help

Moderators: ChrisThornett, LXF moderators

Are shared libraries good?

Shared libraries are less secure than bloatware
0
No votes
Makes no difference, code is code
1
14%
Shared libraries are more secure than bloatware
2
29%
It depends - shared libraries are good for the OS but bad for apps
0
No votes
What are shared libraries?
4
57%
 
Total votes : 7

Code re-use

Postby guy » Sun Jan 01, 2012 1:20 pm

The other day I came across the suggestion that it it more secure to build everything into your app, rather than rely on shared libraries.

Isn't that just saying that code re-use is bad practice because it equates to vulnerability re-use? Safer to bloat the install.

Thinking of the relative security reputations of some well-known platforms and their relative tendencies for developers to depend on shared libraries, I find this a difficult idea to justify based on evidence.

If 100 instances of the same library are compiled separately into 100 apps, where is the benefit over installing once and linking from those 100 apps?

And doesn't it also depend rather heavily on the experience and professionalism of the shared library developers vs. the app developers? I'd trust a 15-year old maintenance team over a shiny new script kiddie any day.

I kind of smell subversive FUD at work - "You can trust our shiteware approach, honest. Far better than that other competitior - just read this security analysis my salesman wrote." sort of thing.
Cheers,
Guy
The eternal help vampire
User avatar
guy
LXF regular
 
Posts: 1078
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

Postby Bazza » Sun Jan 01, 2012 2:46 pm

Hi guy...

Sorry, but I had to vote "What are shared libraries?"...

The reason is that a very large percentage on here have no idea
what a shared library is.

What happens when a shared library becomes corrupt?
What happens when a shared library is updated?
What happens when a shared library is no-longer needed
in the latest OS incarnation?
Although not a library situation remember SNDREC32.EXE in XP
and below, but not in Vista and higher.......

You see my point.

I suspect that a library that has stood the test of time is pretty much
bullet proof AFA security is concerned. However sometimes they get
major code changes that not only affect countless apps that depend
on them but also break security and reliability.

Just a starter... ;o)
73...

Bazza, G0LCU...

Team AMIGA...
User avatar
Bazza
LXF regular
 
Posts: 1476
Joined: Sat Mar 21, 2009 11:16 am
Location: Loughborough

Re: Code re-use

Postby nelz » Sun Jan 01, 2012 8:47 pm

guy wrote:Isn't that just saying that code re-use is bad practice because it equates to vulnerability re-use?


If that is true, it also equates to re-use of vulnerability fixes.

If you have 100 apps all with their own statically compiled version of a library and a vulnerability is found and fixed, you have to wait for all 100 projects to update their code before you are safe from that vulnerability.

The same applies to other improvements to the code, be it bug fixes or better performance.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8504
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby Fat_Tuesday » Sun Jan 01, 2012 9:47 pm

Easy answer, only question I understood was the last one!
Fat_Tuesday
 
Posts: 97
Joined: Mon Oct 09, 2006 12:14 pm

Postby wyliecoyoteuk » Sun Jan 01, 2012 10:40 pm

Shared code may mean multiple vulnerabilities, but it also means multiple eyes on it.
The old "security by obscurity" argument is why Windows has become such a pile of dudu over the years.
Anyway, every current OS uses shared libraries, and yet some are much more secure than others, so that sort of wrecks the argument, really.
The sig between the asterisks is so cool that only REALLY COOL people can even see it!

*************** ************
User avatar
wyliecoyoteuk
LXF regular
 
Posts: 3460
Joined: Sun Apr 10, 2005 10:41 pm
Location: Birmingham, UK


Return to Discussion

Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest