Transcript dropped at you by IEEE Software program journal.
This transcript was robotically generated. To counsel enhancements within the textual content, please contact content material@laptop.org and embody the episode quantity and URL.

Gavin Henry 00:01:06 Welcome to Software program Engineering Radio. I’m your host, Gavin Henry, and at this time my visitor is Robert Seacord. Robert Seacord is a Technical Director at NCC Group the place he develops and delivers safe coding coaching in C and C++ and different languages. Seacord is an professional on the C Requirements. His six earlier books embody CERT C Coding Commonplace and Safe Coding in C and C++. Robert, welcome to Software program Engineering Radio. Is there something I missed in your bio that you simply’d like so as to add?

Robert Seacord 00:01:36 No, that was fairly full. Thanks for having me right here.

Gavin Henry 00:01:40 A pleasure. So, I’d like to start out off with a quick historical past of the C language after which contact on why programming in C might be insecure. We’re going to additionally then transfer on to high 5 safety points. After which the final little bit of the present goes to be speaking on the varied methods and instruments we will use to assist us write safe C packages. Okay? Small disclosure, I’d point out an open-source venture I’m engaged on known as SentryPeer, which is written in C for numerous issues which have come up whereas I’ve been writing the code and instruments. I discovered safety points I assumed that weren’t a problem and issues I discovered in your books and the sections on easy methods to enhance your code. I believe it’ll be a pleasant bit. So, let’s lay down some foundations: when was C created?

Robert Seacord 00:02:35 I needed to look this up as a result of I’m truly not fairly that previous, but it surely first appeared in 1972. And it was developed by Dennis Ritchie at Bell Laboratories in New Jersey. So, it’s had a really lengthy historical past. It was based mostly on a typeless language known as B, as you may think, as a result of programmers have by no means been excellent at naming issues.

Gavin Henry 00:03:01 Cool, are there such a factor as variations, or how does that work?

Robert Seacord 00:03:05 Effectively yeah, there’s a number of variation in what we name C, proper? So, there was KRC, which was a Kerningham-Ritchie, sort of corresponded to their guide again within the 70s. And again within the 70s, ANSI began a committee to standardize the language. So that they printed their first normal in 1989. In order that’s sometimes called C89, and the subsequent yr that was printed by ISO. So it was quick observe to the worldwide requirements group as C90, and lots of people have assured me, together with John Benito, who was the earlier convenor of the C requirements committee, that these two requirements are precisely the identical. There’s only a totally different cowl web page. Nevertheless it’s truly fairly laborious to search out copies of these authentic requirements. However a number of embedded code remains to be written in C90 after which there’s been a number of variations, main variations of the Commonplace launch license.

Robert Seacord 00:04:10 So the subsequent one was C99. And C99 was a bit gradual on adoption, but it surely had a bunch of options. C11 was the primary normal that I labored on from starting to finish, and C11 primarily launched parallel programming, concurrent programming, threads, thread library, atomics. And it was meant to additionally deal with safety. I’m unsure it did pretty much as good a job of addressing safety because it did addressing parallel execution, however we did add issues like Annex Ok, which is the sure checking interface or the underbar S capabilities. Many individuals assume that underbar S perform stands for Safety, but it surely truly stands for Bounds Managed Interface. And we added that we had an Annex L, which was analyzability annex and we made another small enhancements right here and there to handle safety. That was C11. Yeah. 2011. We simply had the one digits I imply, I assume ultimately we’ll wrap round, however I hope to be lifeless by then and anticipate it to be another person’s downside.

Gavin Henry 00:05:31 You talked about ANSI, that’s the American…?

Robert Seacord 00:05:33 Yeah, that’s American Nationwide Requirements Institute however these days it’s truly, there’s a bunch known as Insights, which is form of beneath the umbrella of ANSI. And so, in case you are within the US you’re a member of the Insights Committee, and Insights will get a single vote in ISO, so ISO is the Worldwide Requirements physique, so it’s one nation, one vote at ISO. And the Committee is definitely, it’s very US-centric. We had a gathering some years in the past in Delft within the Netherlands, and there’s a portion of the assembly the place, we simply deal with Insights enterprise. So we requested individuals who aren’t a part of the US physique to go away. And the one individual to go away was the host of the assembly. And this was a gathering happening in Europe. There was just one European there, and it was the host. So often we get higher participation from Northern Europe, Canada, however not a lot past there; hasn’t been a number of participation from Asia or elsewhere recently.

Gavin Henry 00:06:50 And is that as a result of C’s not used there, or they don’t take part?

Robert Seacord 00:06:54 It could be used there, but it surely’s all of the compiler distributors are within the US primarily. There’s IBM, their compiler group is in Markham in Canada. And so, that’s truly the Canadian illustration is from IBM, the well-known Canadian firm, in fact.

Gavin Henry 00:07:16 So there’s probably not variations; it’s the usual and that modifications every…?

Robert Seacord 00:07:24 Yeah, so the variations of the usual, after which that form of drives the baseline. So there’s C11, C17. C17, some individuals mistakenly name it C18 as a result of it was printed by ISO in 2018, however it’s truly the 2017 normal. And that was actually an uncommon one. It was simply actually bug fixes of C11. So, nobody actually needs to be utilizing C11. C11 is like C17 with bugs, and C17 is C11 with out bugs, however there’s, in fact all of the compiler distributors repair all of the bugs in C11. So that you received’t see them anymore, no matter which normal you specify. And so C17 is a present model and we’re at present engaged on C23 and the deadline for papers to introduce new options has come and gone as of this previous, I believe it was as of November. And so, we all know what’s not going to be in C23 proper now, which is something we haven’t bought a paper on and what’s going to be in it’s nonetheless up within the air as a result of we now have to, we’ll see if we will get consensus on the remaining proposals which might be in entrance of the committee.

Gavin Henry 00:08:40 And that’s what results in the compiler, doesn’t it — the model or normal the compiler helps?

Robert Seacord 00:08:47 Effectively, it may, proper? So to start with, after we create the usual and C there’s a powerful requirement for current implementations, proper? So, the C committee greater than most committees doesn’t wish to invent issues. We’d like to search out issues which might be being utilized in apply that might profit from standardization as a result of which may improve portability over various platforms, after which get it into the usual. And typically the committee will, I’ll use the time period “make enhancements” to current apply. They do wish to fiddle and that’s good and unhealthy. I imply, it’s good to perhaps make some enhancements, however on the similar time now it’s not simply precisely current in apply anymore, that you simply made some modifications to it. And a few issues like Annex Ok, the committee fiddled with {that a} bit and bought to the purpose the place the prevailing implementation from Microsoft turned non-conforming to the usual, and so they weren’t actually up for altering it. And so, the usual — I’m looking for a unique phrase than “normal” — it units a normal.

Gavin Henry 00:10:11 No, however you touched on a great level in there that the usual is there to bolster portability. I believe that’s what you’re making an attempt to get to.

Robert Seacord 00:10:19 Yeah. However all these compilers, they’re at all times, every implementation, proper? Every compiler implementation exists over a continuum, proper? So, you’ll have a compiler that has say, perhaps it’s absolutely carried out to C99, however they’re working in direction of implementing all of the C11 or C17 options, proper? And so it’s someplace in-between. After which most compilers have compiler-specific extensions that you should use, proper? Which aren’t standardized. And so, so each implementation there’s a number of variation, every form of normal model is form of a unique taste of the language. After which the precise compiler implementations they’ll fall into totally different areas by way of which requirements they implement and which further options. So, there’s a constant form of transportable spine, however there’s a specific amount of variation sort of constructed on high of that.

Gavin Henry 00:11:30 Yeah. Simply relating the bit the place you spoke about it’s actually C17 and never C18, in my open supply venture that I discussed, after I was getting the continual integration duties arrange, to construct my venture with the compiler flags I placed on, it was GCC normal C18, trigger I’m working Fedora Linux newest from my desktop, like develop on, however the runners had been, this code was constructed on GitHub. Trigger you’ve been to twenty LTS and so they didn’t have that flagged assist in these PCCs. I believe it was there. Or after I was testing on internet BSD and open BSD, they didn’t, they solely assist C11. So even issues, not even that a few years previous, they haven’t caught up or it’s simply the model of compile that was launched with the working system. So, I perceive what you imply by relying on how the compilers had been carried out and who’s rolled them out.

Robert Seacord 00:12:31 Yeah. And you realize, Microsoft has at all times been an fascinating case as a result of they’ve at all times been form of comfy, partially supporting requirements. So supporting components of requirements they like, however ignoring components they don’t.

Gavin Henry 00:12:46 However then it’s probably not a normal, is it? You both do all of it, otherwise you don’t.

Robert Seacord 00:12:50 Yeah, that’s true. So for a very long time, they didn’t like all of the components of C99, and so they simply sort of took a move on these bits, however they’ve form of introduced a path the place they need to form of turn into extra aligned with the C normal. They haven’t been sending anybody to the committee conferences, so it’s laborious to inform precisely what their future relationship with the language is. However compilers like Clang and GCC do an excellent job sort of maintaining with the most recent model of the requirements. And you will get some, even C23 sort of options supported in these compilers as nicely.

Gavin Henry 00:13:36 Wonderful. Effectively, I’m going to maneuver us onto the subsequent part of the present, which was actually concerning the high 5 safety points that I’ve give you a little bit of analysis, and I would like you to right me on them. So earlier than we dig into these 5, if we may spend a minute or two to know why a C program might be insecure after which we’ll dig into the 5 points I’ve listed?

Robert Seacord 00:14:02 Effectively, yeah so, in all programming languages are insecure and so they’re all general-purpose programming languages. So all of them can form of obtain the identical issues, proper? So that they have the identical, they’re all Turing full, and so they’ve bought totally different abstractions, totally different idioms for programming in these languages. However, in the best way languages are damaged they are often fairly totally different, proper? As a result of that’s, that’s not an intentional design; it’s form of the defect floor of the language, or nevertheless you need to describe it. And so, when you take a look at a language like Java, which had been billed as a safe language for a few years, it’s bought some severe issues with issues like deserialization, which mainly permits an attacker to execute their very own code inside your digital machine.

Gavin Henry 00:15:07 Very topical language in the mean time, isn’t it with the whole lot that’s been happening the previous two weeks. We’ve got to watch out of timelines on this sort of present, however the large with log4 J.

Robert Seacord 00:15:22 Yeah. And I imply, that’s, I haven’t studied that rigorously. I imply, that largely looks like a design flaw.

Gavin Henry 00:15:29 It’s sort of, such as you mentioned, the place code might be injected and it runs the place it shouldn’t be.

Robert Seacord 00:15:34 So yeah Java has bought a fairly vital assault floor and it’s at a sure degree the place it form of within the libraries and within the options and ways in which these options might be form of misused to use the code, C being form of a less complicated compiled language doesn’t have that assault floor. However C and C++ are form of well-known for reminiscence questions of safety. And these are issues the place, mainly, you learn or write exterior the bounds of an object and C and C++, these languages are designed to be optimally environment friendly. So that they form of belief the programmer’s not going to make most of these errors. And it seems that belief had been very misplaced as a result of programmers make these errors on a regular basis. And when you write exterior the bounds of an object, that may have numerous penalties as undefined habits, relying on what that write does it may overwrite knowledge, it may overwrite perform pointers, it may overwrite the return deal with on the stack. And attackers can exploit that sort of downside by amongst different issues, injecting code into your course of and overwriting the return deal with on stack with the deal with of that malicious code so when a perform goes return, as an alternative of returned to the caller, it executes codes that’s been injected by the attacker after which that code runs with the permissions of the weak course of. In order that’s a fairly vital type of assault.

Gavin Henry 00:17:25 Okay. Effectively that’s a great overview of some issues that will be insecure. Let me break down a few of them earlier than we begin on this subsequent bit, after we’re speaking about C you talked about the phrase object, which at all times makes me consider an object-oriented program, like a JavaScript object or a Java one, what can we imply in C after we speak about an object?

Robert Seacord 00:17:49 Oh, I didn’t know this was going to be a very deeply technical dialog.

Gavin Henry 00:17:54 Effectively, I suppose you may make it only a single-sentence definition of an object.

Robert Seacord 00:18:02 Yeah. We’ve got a reminiscence administration research group that’s making an attempt to reply that query.

Gavin Henry 00:18:07 Possibly we will’t do a easy reply then?

Robert Seacord 00:18:10 However mainly an object is –- okay, I imply, in C you’ve got capabilities and you’ve got objects, proper? So an object is the whole lot that’s not a perform. In order that’s a, variable could be an object or you possibly can have an object in dynamically allotted storage. So yeah, it’s mainly a…

Gavin Henry 00:18:31 Sure, that’s right. That’s precisely what I used to be simply going to learn out of your guide. So in your guide, Efficient C, you say “an object is storage in which you’ll characterize values. To be exact, an object is outlined by the C normal as a area of knowledge storage within the execution setting, the contents of which might characterize values.” The added word “when a reference object might be interpreted as having a selected kind.” So yeah, that could be a large tick for that reply. Thanks.

Robert Seacord 00:19:03 Thanks, I’m glad I’m constant.

Gavin Henry 00:19:06 So yeah, you touched on a few issues that I used to be going to drag aside shortly on that to do with how these reminiscence points are literally exploited. We’ll begin off from my checklist. So do my very own venture and different issues like that every time I save one thing or I’m engaged on an ID and I push it to Github, I’ve bought all kinds of static evaluation on it that we’ll point out it within the subsequent part, but it surely often comes again with one thing like a string concern. So I’ve at all times understood strings to be a safety concern as in not terminated or an array of characters. Individuals deal with it not as a string when it’s not a string. Might you give us some info on why a string might be insecure?

Robert Seacord 00:19:56 Yeah. Strings are sort of tough. So strings are, they’re not a primitive kind in both C or C++. So that they’re constructed on high of arrays and C arrays are problematic in and of themselves, proper? And so for starters, we all know that there’s no implicit bounds checking and there’s a number of capabilities similar to stir copy the place you’re copying a string from a supply to a vacation spot, and it’s going to repeat your complete size of the string, however there’s no indication in that perform of the scale, say of the vacation spot array. And so stir copy will simply do what you ask it to do, which is copy from this sources, this vacation spot, with out checking to see if there’s room for that, to make that replicate of string contained in the bounds of that vacation spot object.

Robert Seacord 00:21:00 And so the issue with the arrays, one of many issues with arrays is once you move them to a perform, they decay to some extent or two, the primary component of the array. And so when you’re contained in the perform, there isn’t any approach to decide the scale of your complete array. In order that measurement info needs to be handed to be obtainable. So capabilities like stir copy that don’t handed the scale, there’s a library capabilities, trusting you the programmer to move it an object, which can match to the vacation spot. Proper. And if it doesn’t, you’ll have this undefined habits and this doubtlessly weak code.

Gavin Henry 00:21:45 I at all times do not forget that the title of an array can also be a pointer. So once you move it right into a perform that, such as you mentioned, it, the keys to simply the pointer, you possibly can nonetheless discover out what kind of level that’s inside your perform? So is that right?

Robert Seacord 00:22:05 Effectively, I imply, the kind of the purpose is the pointers tight so, I imply, you possibly can have void pointers in C, however that’s not notably a terrific thought. So usually a string could be a char pointer, I imply, usually, I imply, accurately, it might be a char pointer. However you don’t understand how lengthy it’s. And even, the concept that it’s an array shouldn’t be essentially the case, proper? It may simply be a pointer to a single character.

Gavin Henry 00:22:41 So do it’s a must to take into consideration what may I’ve seen the place they move within the lens? They often lose one of many normal capabilities, string lands, however once more, that perform has to determine how lengthy the string is. So do it’s a must to take an additional step and ensure it’s not terminated? Or do you’ve got, or is there one thing that we will attain to so we don’t have to consider any of this for strings? What do you advocate?

Robert Seacord 00:23:08 So once more, there’s no string kind, there’s no premise string kind. So it’s an array and the definition of a string is that mainly there’s no character earlier than the sure, proper? So if there isn’t any character earlier than the sure, it’s not truly a string, itís a personality array, proper? And that’s okay. It’s okay to have a personality array in C, it’s outlined habits. Nevertheless it turns into undefined habits when you move a personality array right into a stirling perform. As a result of it’s going to look at every component of that character array for no character. And it’s going to proceed in search of no character to search out one. So if string size, which once more it doesn’t take a measurement, it doesn’t know what measurement the string is that it’s analyzing. If it doesn’t discover a no character earlier than the sure, it’s going to proceed to search for a match by reminiscence for no character. And as quickly as that perform, accesses storage past the bounds of the array, it’s now undefined habits, proper? And after getting undefined habits in your code, all bets are off. That program can now exhibit any kind of habits. So there’s definitely requirement to make sure that any string you move to a string perform is definitely a string, that means that it has no termination earlier than the sure.

Gavin Henry 00:24:41 Yeah. I’ve seen a few of the documentation on a few of the string capabilities that look to work across the area. Then they are saying, if there’s no unknown character discovered at that size that you simply move, then we’ll ensure there’s one there.

Robert Seacord 00:24:58 Proper, and a number of capabilities, newer form of safer capabilities will make sure that after they create a string, that it’s going to, will probably be correctly, no terminated. If you happen to, when you maybe give it extra knowledge than it has room to retailer in no matter sized object you’ve got, then it would overwrite the final character making an attempt to retailer with a no character. So that you’ve bought a correctly, no terminate string. And so I imply this alternative of a datatype was made early on and will very nicely be the mistaken knowledge kind. I imply perhaps having a measurement adopted by the string and never utilizing a no termination, perhaps that will have been a greater extra environment friendly, safer design, but it surely’s not one thing that’s more likely to change at this level within the, within the evolution of those languages.

Gavin Henry 00:26:02 And I believe to maneuver on to quantity two on my checklist now, I believe we’ve touched a bit bit on it and I’ve known as this buffer overruns and underruns, and I believe you’ve helped me perceive the query I used to be going to ask within the part the place in my venture, primarily, Peer one, I’ve bought some errors on my ID the place I’m doing a, I believe it’s a string and examine some, mainly checking a URL that is available in to see if it matches the info to considered one of my capabilities. So I’ve bought the URL and I’ve bought how the scale of how lengthy it went to look alongside the array of chart to discover a match mainly. So I’ve given it a max paths size, I believe it’s of 1,024 or one thing. However my ID says, I shouldn’t examine that URL string longer than the strings there, regardless that it finds a match. So my duties all work, as a result of I believe that’s simply what you’ve defined there. As soon as it will get previous the chart of the array of chart, which could not be a string I exploit not terminated, all bets are off as a result of it’s on the positive habits when it will get to say chart 101 of the URL, that’s 100 chart lengthy.

Robert Seacord 00:27:21 You positively can’t look at characters past the bounds of that object, past the bounds of that character array.

Gavin Henry 00:27:31 Sure so I believe when the URL is available in, you’ll want to do a measurement examine on it after which ensure you’re not checking previous that from match, is that the proper approach?

Robert Seacord 00:27:40 Sure. I imply, so that you’ve bought a max path buffer that you simply’re storing it in. So that you’ve bought that quantity of room for that array, however you’re evaluating it to a different string. And so that you don’t need to exceed the bounds of both of these character array.

Gavin Henry 00:28:04 Truly the string and examine. So I’ve bought the URL on the size of the string that I need to examine towards. So like 4 slash house, I need to ensure that goes to the best place or about, or one thing about web page and I’ve bought a max size. So it’s going alongside that string for so long as I handed size for when it says thatís unhealthy, however you don’t understand how lengthy the trail is till you’ve calculated the trail. We sort of get on this hen and egg kind state of affairs. However yeah. So after we speak about going previous the tip of array, that will be an overrun? Is {that a} buffer overrun? Or is that an underrun?

Robert Seacord 00:28:46 So there’s these phrases that they kicked round in safety like buffer overflow and buffer underrun and overrun. And I don’t know what any of these phrases imply. I imply they’re sort of loosely used phrases in safety, however they don’t have very exact definitions. So within the C language, actually, we simply speak about an entry exterior of the bounds of an object. And we don’t care about what that entry appears like, proper? So you possibly can begin originally of an array and you’ll increment some extent or an index after which run off the tip of the array, proper? And that’s an out of sure entry. You would possibly name {that a} buffer overflow. After which you possibly can begin on the finish of an array and you possibly can detriment the pointer and you’ll run off that finish of the reminiscence.

Robert Seacord 00:29:42 Typically you’ll simply form of arbitrarily leap from, you may need some form of integer right here and leap from accessing an array to some random place and reminiscence. And once more, I don’t know what that’s known as. That’s a buffer overflow or buffer overrun, but it surely’s simply, it’s positively an entry exterior of the bounds of that object, which is undefined habits. You possibly can’t take some extent or two in an array and you’ll add or subtract interger worth to it. So long as the pointers nonetheless refers back to the similar array or to 1 path that array the too far component. But when the pointer you type from that pointer arithmetic, is exterior of that sure, it’s simply undefined habits. And what you name it, sort of varies. There’s it’s a bit bit unrelated, however individuals like to speak about integer overflow and integer underflow in C, however there’s truly no such factor as integer underflow. That’s simply somebody’s creation. You probably have an operation into operation at types of worth, that may’t be represented, that’s integer overflow there’s there isn’t any such factor as integer underflow, however individuals like to make use of that time period for no matter motive.

Gavin Henry 00:31:07 Effectively, it’s a great rationalization. Thanks. So we’ve carried out one thing right here the place we’ve gone exterior the bounds of what we’re making an attempt to do. The third factor on my checklist is what I’ve known as reminiscence leaks. So once you request some reminiscence from the working system with one of many allocation capabilities and also you don’t free it, so that you get what I believe is named the mistaken time leak, runtime leak or corrupt reminiscence. So runtime could be the place you’re regularly asking for this reminiscence, however you’re not liberating it. So that you’re utilizing greater than try to be. Is {that a} right definition?

Robert Seacord 00:31:47 Thereís a number of stuff that was barely mistaken in that query.

Gavin Henry 00:31:53 Thatís what I need to hear. Appropriate me.

Robert Seacord 00:31:55 Yeah. So for starters there’s a reminiscence allocation perform, proper? Malik Cadillac, realigned Alec, and none of those immediately request reminiscence from the working system. Proper? So the method has a reminiscence allocator that runs as a part of the identical course of base, proper? And so your reminiscence allocator will request a really massive block of reminiscence from the working system, after which it would handle that. And so once you make a name to Malik, it’s allocating storage, is allocating a chunk of storage from this massive block of reminiscence that the reminiscence managerís managing throughout the course of, proper?

Gavin Henry 00:32:38 So a part of the kernel that’s doing this reminiscence administration?

Robert Seacord 00:32:42 No, it’s all in your course of. So the reminiscence administration, you’re going to hyperlink to a library and that library has implementations of stir copy and Malik, and all of those capabilities run as a part of your executable, in your course of.

Gavin Henry 00:32:58 So this isn’t like a reminiscence pool that I’ve created. That is one thing to do with how I execute invoice has created?

Robert Seacord 00:33:05 So I imply, once you begin up, the reminiscence supervisor goes to go to the working system, itís going to get a block of reminiscence. However then as soon as it will get this massive block, which is mainly the heap, your reminiscence supervisor shouldn’t be going to handle that heap storage for you. So, once you make a request to Malik, that’s going to execute the Malik perform, which is a part of this reminiscence supervisor implementation. And it’s going to say what’s the subsequent obtainable variety of the subsequent obtainable block of reminiscence that’s no less than this variety of bytes massive, and carve that off this larger block and return that to the person. In order that whole course of doesn’t contain the Kernel at that time, proper? That blocks thatís been carved out. The one time they’ll Kernel would possibly turn into concerned once more is when you fully use all of the allotted reminiscence from the working system, you would possibly then search to form of prolong that. However that one implementation doesn’t essentially, I imply, the opposite risk is that at that time, that location would fail for an insufficient reminiscence.

Gavin Henry 00:34:23 Okay and so after we’re speaking about these bounce issues that occur, I’m not going to make use of the phrase overrun or undrawn okay. Does it make a distinction if it’s over, does one thing I’ll bounce into reminiscence that we haven’t freed, or are we contained inside what the reminiscence allocation device has given us from reminiscence? Or is it simply undefined? Is there a distinction between, so we’ve corrupt a few of our personal reminiscence usually are not free to, after which considered one of these array operations we’re doing finally ends up making an attempt to enter that it’s simply undefined or? What Iím making an attempt to ask is, once you see exploits of most of these issues, and there, they know that we’re not cleansing up reminiscence, or there’s some kind of reminiscence they’ll get to with this exploit to run their very own code. How do they predictably get out that if this stuff had been all fairly undefined and random?

Robert Seacord 00:35:23 Effectively, an undefined is a time period utilized by the usual, proper? So, the usual says, merely we haven’t outlined what occurs right here. And so specific implementation is in fact, goes to do one thing. And since it’s not outlined by the usual, what it does, you as a programmer don’t actually know what it does, proper? So typically the implementation form of align along with your expectations of program or what kind of habits you’re going to get, during which case you possibly can have code, you possibly can have executable generated from code containing undefined habits, which is definitely right, however extra generally when you’re invoking undefined habits that means that you simply don’t have an accurate understanding of the language, with reference to that habits. And almost certainly the code is ISRA. Now after we speak about reminiscence, warmth reminiscence, there’s a number of lessons of potential errors, which might result in vulnerabilities. The primary one, which we’ve sort of mentioned in arrays, buffer overflows, proper?

Robert Seacord 00:36:38 So buffer, overflows can happen in any reminiscence section to allow them to happen within the stack, within the knowledge section or within the heap. And the consequence is, so an overflow within the heap, and anytime you write exterior the bounds of an object, itís undefined habits.

Gavin Henry 00:36:57 Are you able to outline the stack within the heap briefly simply in context?

Robert Seacord 00:37:01 So the stack within the heap, I imply Iíll say, Iíll begin out by saying that neither idea is outlined within the C normal. So these are sort of like implementation ideas, however usually a stack is a knowledge construction which helps program execution by permitting you to have a perform that calls one other perform after which creates a stack body for perform that it’s calling the place it preserves all of the native variables and arguments which might be being handed to that perform and so forth.

Robert Seacord 00:37:42 After which that perform may name one other perform and that perform may recurse, proper? So you possibly can wind up with a number of cases of the identical perform on the stack. After which as soon as the perform returns, the stack form of unwind. So you’ll flip again to the calling perform and re-established that perform stack body so it has entry to the native variables. And so the execution stack is a knowledge construction to permit for this mainly purposeful type of programming. In order that’s a stack and typical variable that you’d declare within a perform, a non-static variable, when you simply have a perform app and also you IDE, that variable an computerized variable, that’s declared within the scope of that perform. And what occurs is once you name that perform, a stack body will get created for that perform and cases that variable will get allotted on the stack, proper?

Robert Seacord 00:38:44 And so as soon as that perform returns the lifetime of that, that variable ends, and it may possibly now not be accessed. So that you’ve bought two different knowledge segments. You’ve the info section, which is the place static variables go and static variables, will the place variable are, they’ve the identical lifetime as that of this system. So that they’re at all times accessible. And that’s the place you would possibly maintain a counter or one thing, proper? The place perform will come, you’ll name a perform node, you’ll increment this counter, the perform will exit, however the rely will nonetheless stay as a result of it’s a worldwide variable. And international variables have their makes use of and so they have their issues. However the subsequent kind of the subsequent section is the heap. And the heap is the place dynamically allocate storage exist. And the heap means that you can allocate storage as you want it throughout program execution.

Robert Seacord 00:39:52 And people objects persist till they’re explicitly de-allocated or destroyed. So, these have their very own sort of lifetime. It’s based mostly on you, allocating and de-allocating.

Gavin Henry 00:40:08 In order that’s the place the leak may occur. Corrupt.

Robert Seacord 00:39:12 Yeah. So there’s the buffer overflows on the heap, and people are exploitable and the way they’re exploited depends upon the implementation of your reminiscence supervisor. Some reminiscence managers implement the knuth algorithm, which makes use of every boundary tags the place you’ll have management constructions earlier than and after every allotted blocks. So when you write past the bounds of the allotted object, you’ll begin overriding these management constructions within the heap, corrupting the heap, and an attacker may overwrite these constructions mainly once more, to our safety per informed. And the specifics of that depend upon the implementation of the allocator.

Robert Seacord 00:40:58 However there’s additionally two different lessons of issues, no less than two different class issues with reminiscence, allotted reminiscence. So, one is you allocate reminiscence, and you then fail to deallocate to launch it. That’s a reminiscence leak. And a reminiscence leak might be benign in case you have a brief working program and also you don’t ever exhaust reminiscence. However in case you have one thing like a server that’s going to run for prolonged durations of time, because it runs, if it’s persevering with leaking reminiscence, that reminiscence is now not obtainable to the reminiscence allocator to allocate to the method. So ultimately that system goes to exhaust reminiscence and that kind of defect as soon as that occurs, your server’s not going to be very efficient at serving. As a result of it’s going to start out having reminiscence failures and always be in a state of making an attempt to get well from reminiscence errors.

Robert Seacord 00:42:05 And in order that state of affairs is form of often known as useful resource exhaustion. And one type of assault is denial of service assault by useful resource exhaustion, proper? The place an attacker finds a reminiscence leak in your system, exploits that to exhaust your reminiscence. And now it seems that your server is operational, however truly it’s now not serving requests as a result of it’s out of reminiscence and it may possibly’t perform correctly. So out of reminiscence, failing to correctly deallocate storage when it’s now not required, can result in these kinds of denial of service assaults. The opposite downside is you possibly can by accident launch the identical storage a number of instances. And that’s sometimes called double free vulnerability. Double free vulnerability is, it appears a bit bit totally different, however it may possibly have the identical consequence as a buffer from the heap, which is that an attacker may exploit that to execute arbitrary code. So double free can also be fairly harmful form of coding error.

Gavin Henry 00:43:17 Would you be capable to give an instance of, I do know it’s laborious as a result of it depends upon this system on implementation of the place it’s working and issues, so far as I perceive it. However how can an attacker exploit what you simply defined with a double free, or an over or beneath on how did they get this code. Is it assembling language that they put within the code and so they inject that into this reminiscence of space, space of reminiscence? Or what does that appear to be?

Robert Seacord 00:43:45 So if we simply mentioned simply form of a fundamental exploit

Gavin Henry 00:43:53 Put in your title or one thing, I donít know, one thing actually.

Robert Seacord 00:43:57 Yeah. In unbiased of the error, what can occur is an attacker can inject executable directions into your course of reminiscence, and it may possibly actually try this on any enter operation and there’s legitimate, there’s executable codes, it appears like legitimate ASCII. Executable codes that appears like legitimate UTF strings. So no matter kind of string you’re inputting, it’s at all times a good suggestion to validate that string to the extent potential, however typically you simply can’t, typically it’s simply sort of a string knowledge.

Gavin Henry 00:44:38 That factor you actually bought a great part in your Efficient C guide on validating this system arguments on the commodity. I discover it actually in depth.

Robert Seacord 00:44:48 Oh, thanks. And I imply, safe coning and C and C++ actually goes into these exploits extra. The Efficient C guide is supposed extra of an introductory textual content it. So I don’t attempt to go too in depth in how exploits or easy methods to write exploits. However I attempt to write that guide to supply sort of a powerful basis to programmer.

Gavin Henry 00:45:15 I believe that’s why I prefer it a lot.

Robert Seacord 00:45:18 Thanks. I imply, in a approach when you code accurately and also you keep away from undefined behaviors, your code is safe. You don’t want to know the way it could be exploited, however the research of form of how code is exploited is actually motivational. It’s for individuals like, oh I’ve bought legacy code base with tens of 1000’s of errors. So how do I prioritize that? And so that you sort of speak about what the varied errors are, how they are often exploited, the way you would possibly mitigate towards these issues with typically form of runtime methods, which might shield towards exploits of all of those. After which additionally about safe coding practices, easy methods to accurately code. So it was not exploitable. However getting a legacy system poorly written, legacy system to be safe could be a vital funding in rewriting and bettering the code.

Gavin Henry 00:46:23 Yeah. I believe you’ve touched properly on to quantity 4, which is on my checklist, which has inputs. So I’ve bought some inquiries to do with processing command line arguments, environmental variables, defensive programming, how community visitors is processed about runtime into knowledge constructions, issues like that. I believe simply actually understanding, listening to what you defined with them, the reminiscence leaks and assault vectors. It simply depends upon how the enter is coming into your program and also you processed it accurately. That could possibly be the, the way it’s once you see the CVE exploit much less, and it says, there’s a double free or a buffer earlier than or one thing in sure conditions doing this, if the wind’s blowing Northwest and also you’re sporting your favourite jumper, this would possibly get exploited kind factor. It simply depends upon the way it’s coming into that program and what this system does. Is {that a} honest abstract?

Robert Seacord 00:47:24 Yeah. A few of it’s fairly difficult, proper? I imply, so that you’ll take a look at some supply code and it’ll have some undefined habits and it could be on this platform, beneath these circumstances with no matter runtime protections can be found. This specific coding error received’t be exploitable, proper? However you possibly can run that on. You could possibly port that to a unique system. You could possibly run on a unique platform, you possibly can change one thing concerning the runtime setting, or you possibly can improve your compiler the place the compilers now used to do one factor with an undefined habits, however now it’s now they’ve developed an optimization that takes benefit of that undefined habits to enhance your efficiency. And now an issue which was the error was at all times current within the supply code, however now due to this new optimization, that executable has been modified.

Robert Seacord 00:48:28 And it’s now weak to assaults. So typically, many instances it’s simpler to restore the code than it’s to know all of the potential safety penalties of an exploit. So some instances the place it’s low-cost to repair, often simply make sense to repair it. I imply, there’s some instances the place when you put some code on the Mars Rover and also you landed on Mars, proper? It’s a bit extra concerned to restore that code, proper? So that you need to analyze that defect extra. You need to analyze that vulnerability extra to search out out whether or not it’s how a lot it was safety danger is, is it price repairing or not, however many instances it’s simply simpler to you to make the restore to the supply code as a result of that’s the tip outlined behaviors eradicate it, you shouldn’t have vulnerabilities normally. Now there are vulnerabilities which might exist absent of undefined habits. These might be logical errors or simply easy issues like a reminiscence leak, proper? So in case your program by accident prints out or logs some personally identifiable info, it doesn’t essentially need to have undefined habits to do this. Proper? So you possibly can have, I virtually need to use the phrase insecure by design the place there’s not,

Gavin Henry 00:50:05 This has nothing to do with C, that’s simply engineering software program, engineering shouldn’t be proper?

Robert Seacord 00:50:10 Proper.

Gavin Henry 00:50:12 Okay. And I believe that was a great abstract. And so with an improved compiler, may that cart to double free, if it’s monitoring the quantity of instances you freed one thing or what? A rubbish assortment system?

Robert Seacord 00:50:28 Oh yeah. Effectively, C doesn’t actually have rubbish assortment.

Gavin Henry 00:50:33 That was simply an instance.

Robert Seacord 00:50:34 Yeah. So double free, these kind of errors, there are methods to catch it. Proper? So, one mechanism is simply to, so compiler does some evaluation, proper? It doesn’t do a number of evaluation. So there’s, they’re static evaluation instruments that do extra depth, extra in-depth evaluation.

Gavin Henry 00:50:56 So I’m going to the touch on within the subsequent part, I’ve actually loved this center part. So again transfer us on as a result of we’re over our time on this. However so simply the very last thing I’ve in my checklist, as a result of I believe we’ve carried out a very good job. And I didn’t say on the time, however I actually loved their description of the inventory and the heap that made the whole lot actually clear. So the final level is, sorry, that was a foul pun. It’s dangling pointers. The place are these in what issues that they precipitated only a minute or two, after which we’ll transfer on to the instruments that can assist you be a greater programmer.

Robert Seacord 00:51:30 Effectively it definitely precipitated unhealthy puns, however the issue with a dangling pointer is that it could lead on sort of immediately to 2 lessons of exploitable defects, proper? One being double free, which we’ve simply mentioned, proper? So when you free a pointer and also you don’t assign it to know, you possibly can free that pointer a your second time and we’ve already mentioned that may be weak. If you happen to do set it to know, and also you free a no pointer, that’s a no ops. In order that has no, no impact on the code. The opposite downside with that dangling pointer is that it’s now pointing to reminiscence, which has been deallocated probably deallocate it after which reallocate it. So writing to that time, or is now undefined habits and say for that storage is deallocated you write to it, when you deallocate storage, the reminiscence supervisor takes it over and it’d use the sort of person area to insert management constructions in an effort to observe, maintain observe of free blocks of storage. So when you write to those dangling pointers, once more, you possibly can overwrite these management constructions, corrupting the heap, and doubtlessly doing that in a approach, which once more, makes it potential to execute arbitrary code.

Gavin Henry 00:52:50 Yeah. I’ve seen that in loads in one thing that I do and in my code and in Guisetís guide who I had on the present and who you realize since you work with them and Requirements, Episode 414, and likewise a shout out to your artwork’s name for the IEEE safe coding and C and C++, and strings and integers and your different article on Efficient C. How I’ve bought these hyperlinks within the present notes, however all his, and I believe in your code examples, after free, the pointer is ready to zero, which is the null. Wonderful, that was a very good protection. Within the final part, I don’t have as a lot time as I hoped, however we’ve carried out a great in some crossovers right here. So we’ve bought IDs and issues that we use as we’re working the code that try to give us as a lot assist as potential. We’ve bought a form of constructed instruments, however you talked about earlier static and dynamic evaluation. I believe you talked about dynamic evaluation however Iíll talked about it in right here anyway. So what static within the now and dynamic evaluation and the way do they assist?

Robert Seacord 00:54:00 These are simply sort of instruments and approaches to investigate the code and perceive what it does and what potential defects it may need.

Gavin Henry 00:54:14 So I appears on the supply code, the bodily recordsdata. Effectively, not bodily, the tax file.

Robert Seacord 00:54:19 So static code evaluation, it appears like a bit a compiler, proper? So it builds your supply code and construct usually in summary syntax tree. So it creates a construction after which it’d construct some further graphs that may be analyzed. And you then’ll have a collection of guidelines the place you say I don’t need to free a pointer after which free a pointer a second time. And so the static evaluation will look at the graphs of the supply code, the summary syntax tree. And it’ll search for totally different structural, very structural defects within the code, or doubtlessly do some path evaluation or some knowledge circulate evaluation. So static evaluation tends to be excellent at discovering, say structural issues in a program it’s not pretty much as good at knowledge circulate and management circulate kind.

Gavin Henry 00:55:19 There are issues which have caught me on that is the place you returned from the perform as a result of that is an error, however you haven’t freed what youíve allotted beforehand. That’s at all times one thing that I discover in my stuff.

Robert Seacord 00:55:34 There’s some issues which might be pretty amenable to a stack evaluation, however incessantly reminiscence administration concurrency, these aren’t at all times discoverable by stack evaluation. So typically dynamic evaluation is simpler to search out these kind of issues. And so that you do have issues like deal with sanitizer and thread sanitizer that obtainable in claying and GCC and, and these allow you to and a wide range of different merchandise, however these help you instrument the executable. After which as soon as it’s instrument that you simply’ll train it, utilizing no matter number of exams you’ve got obtainable, maybe utilizing fuzz, fuzzers to drive the code with numerous inputs. And these interment executable is now we’ll be capable to mainly lure on any form of violation. So their very dynamic evaluation is simpler at discovering issues just like the NAMIC reminiscence points and concurrency points, mainly at run time.

Gavin Henry 00:56:52 A few of the issues that you simply’ve talked about in your guide that I’ve performed with and I utilized in my tasks is the sanitizer ones. The Tsan, which is the thread one, Asan which you talked about as nicely. The deal with sanitizer for reminiscence issues, after which the Ubsan, which is the undefined habits the place I appear to search out errors utilizing these is after I’m working my check suite, as a result of I’m not as cautious as I’m truly working the core product because it had been. I at all times discover points the place I’ve set the duty case by I haven’t torn it down or one thing you realize. Which is sort of a biggie and it is best to kind out as you discover them. After which a few of the different instruments I see different individuals use because the sanitizers, the clang sanitizer one that you simply talked about, after which there’s a great deal of, I believe loads, you talked about a couple of in your guide, however when you’ve bought an open supply venture, it’s fairly simple to get entry to all these free instruments. However I believe most of them are business. Iíll put the hyperlinks into my present notes for that.

Robert Seacord 00:57:56 And I don’t know the place to go together with this. I imply it actually, C is troublesome language.

Gavin Henry 00:58:05 It’s easy, but it surely’s merely laborious as nicely. Isn’t it?

Robert Seacord 00:58:10 Easy. I’m unsure. It’s smaller than different languages. And so I assume from that respect, you possibly can say it’s easy, however thereís so many layers to it that I’m nonetheless peeling after I began programming C in ë95. So it was nonetheless peeling after.

Gavin Henry 00:58:33 And what kind of issues have you ever give you releasing lately that stunned you?

Robert Seacord 00:58:38 So right here’s a great one. This was in all probability the latest factor that stunned me. So you possibly can outline an Enum and you’ll have an enumeration fixed, which has a sort, which is totally different from the bottom kind of the enumeration kind.

Gavin Henry 00:58:57 Arenít Enum simply imagined to be a factor that meant one thing to you?

Robert Seacord 00:59:04 Effectively, there’s this query. There’s at all times this query of what’s the kind of this stuff, proper? So that you write enum colour, purple, inexperienced, blue. Okay. So what kind are these issues?

Robert Seacord 00:59:12 So there’s a powerful tendency to, nicely, the usual will say that the numeration constants the purple, inexperienced, blue, these ought to all be INT, however you possibly can say, for instance, you possibly can move your GCC to consumer, flag, which says use you quick enumeration content material. So in a case like that, purple, inexperienced, blue GCC, your declare would possibly say, oh I’ve solely bought three values, 0 1 2. I can simply match that non signed char. So I’m going to avoid wasting numerous storage and make this time signed char. So now you’ve bought the bottom kind of this object is unsigned char, however the kind of every enumeration fixed is INT. And largely you don’t discover this, however there are instances the place say you’re doing generic programming and also you’re making an attempt to execute some specific code based mostly on the kind of one thing. It would come as a shock to individuals to find that the kind of the fixed is totally different than the kind of the enum object. That’s considerably shocking. That’s the one which’s bought me most lately.

Gavin Henry 01:00:36 You talked about one thing there that what’s the purpose of a signed char and an unsigned char. simply trigger you talked about it?

Robert Seacord 01:00:43 Effectively, signed char and unsigned char mainly small integer varieties. If you wish to characterize a personality, it is best to use char plain char and all three of these varieties are totally different and incompatible varieties.

Gavin Henry 01:01:00 Good. Okay. Simply earlier than we begin wrapping up the present, simply to place some extra meat into the device part, a great cowl of static and dynamic evaluation. We’ve talked about the Tsan and Asan and Ubsan.

Gavin Henry 01:01:18 However over the present we spoke about Annex Ok, is that one thing that we will truly use at this time? Itís been out for some time. You talked about that in your guide and Jens talked about it in his. Do you advocate it?

Robert Seacord 01:01:34 Yeah. I prefer it. There are two college of ideas there and we voted on this within the committee a few instances and the group is equally divided on this half. The group hates it, half the group likes it. And since it’s in the usual, you possibly can’t eradicate it. You possibly can’t change the usual with out consensus, proper. It’s the established order, except you possibly can’t add something, you possibly can’t take away something with out consensus. And a few of the historical past of this, it began with Microsoft again within the 90ís as a response to some well-publicized vulnerabilities. And mainly it form of improves upon the prevailing string library capabilities by usually including a further argument, which specifies the scale of vacation spot array. So now once you name these capabilities, they’ll decide that there’s not sufficient room on this vacation spot array to make a replica of this string.

Robert Seacord 01:02:40 And so reasonably than write past the bounds of the item, I’m simply going to point an error both by invoking a runtime constraint handler or returning an error worth. And so I like these, I believe they enhance, they made it simpler for novice programmers to keep away from buffer overflows and undefined behaviors. Corporations like Cisco have used these extensively and swear by them. They declare to have had vital enchancment in high quality and safety is a results of utilizing these capabilities. So they’re obtainable claying and GCC. Lots of the distributors form of don’t like these libraries that could be as a result of they originated from Microsoft or could possibly be different causes, however there are third get together model of those libraries that you could obtain and use and they’re normal API. So I like them. I might advocate their use.

Gavin Henry 01:03:52 To complete off this part there’s requirements that we speak about. There’s the CERT C pointers, proper. I keep in mind listening to indicate by SQL Lite, how they spend a yr getting their C code as much as some medical requirements. Can’t keep in mind what it was. Is {that a} factor? Is that’s one thing youíve heard of? Some kind of medical requirements the place that code is appropriate to be deployed and medical gear, I’ve to do some extra seek for that. Okay, so I believe that was actually good to start out wrapping up. So clearly C is a really highly effective language with a powerful historical past and deployment base. But when there was one factor a software program engineer ought to keep in mind from our present, what would you want that to be? If we haven’t coated that or simply one thing you wished to deliver to the highest?

Robert Seacord 01:04:43 Okay, I’ll say this, we didn’t spend a number of time speaking about IDs, proper? However there’s an fascinating factor individuals say about C programmers is that C programmers are a bit annoyed by form of compiler diagnostics and so they need to get previous that to allow them to get to the true job of debugging this system, proper? And there’s one type of programming, which is that this trial and error, proper? So you’ve got a little bit of an issue. You Google, you go to stack overflow, you discover a code instance, you copy paste that into your system and also you tweak it. You compile it. It doesn’t compile there’s some diagnostics. Oh yeah. Ms. Title is variable misspells. It makes you enhancements that compiles and you then run it in, it doesn’t fairly run.

Robert Seacord 01:05:49 So you modify one thing and now you get a run that succeeds and also you’re like, cool, that’s working onto the subsequent factor. And so this type of strategy of trial and error, it may possibly get to a program which, which works in a sort of, optimum situation, proper? Nevertheless it doesn’t imply that packages. Appropriate, proper? You don’t understand how that program’s going to cope with sort of surprising knowledge. And we talked concerning the enter validation briefly, however actually your code has to work with all potential knowledge values, proper? There can’t be any inputs for which this system’s going to exhibit incorrect habits. In order that’s the purpose of enter validation and programming on the whole, proper? Just remember to cope with all, all potential combos of knowledge. So to do that trial and error is actually inadequate. It’s essential perceive the language, you’ll want to perceive the code you’re writing and ensure you perceive all potential instances that you simply’re contemplating kind conversions. You’re contemplating integer overflow and all these.

Gavin Henry 01:07:14 I switched to on Mesa, simply use tax, or I believe wherever you utilize and there’s a great deal of C plugins, and the period of time you save by simply taking a look at what will get highlighted or earlier than you even clicked construct, otherwise you’ve run a command. Most of your issues are solved when you simply take note of the,

Robert Seacord 01:07:35 Yeah, it helps loads, but it surely’s nonetheless positively insufficient as a result of all of the tooling, isn’t going to search out all the issues. So it’s useful to know the language you’re utilizing. And you possibly can obtain that by coaching lessons. You possibly can obtain that by studying. One factor I did after I form of transitioned from being a programmer to a safe coder is I spent a while, largely in visible studio and I might, I’d write a bit little bit of C supply code and I might form of predict in my head what kind of meeting could be generated from that code. After which I might compile it after which I might be stunned. I might return and skim the usual, like, okay, now I perceive. And so, ultimately I bought to the purpose the place I may efficiently predict the meeting code that’s being generated. Till you get to that time, your understanding of the language is form of falling quick, proper?

Gavin Henry 01:08:41 Yeah, there’s one thing to be mentioned for simply truly experimenting and I wish to name it “proving it to your self,” mainly have the belief and write a process or one thing.

Robert Seacord 01:08:55 Yeah. And what I do is ideal some code proper. The place I gained a number of confidence. I perceive this, I do know what that is. I can use this and now I’ve bought a sort of a reusable element I can use, but it surely’s fairly harmful to form of simply throw in a bunch of issues as a result of they’re there with out actually understanding but. So, I imply, perhaps it’s extra enjoyable, but it surely doesn’t essentially produce safe methods.

Gavin Henry 01:09:28 So, simply to summarize earlier than we shut up the podcast, what one factor would you want them to recollect? Is that, be good along with your IDE, choose a great one, or show your assumptions, or what would you want them to recollect out of that?

Robert Seacord 01:09:48 I might say the perfect time to keep away from the defect is once you’re coding. It’s higher to write down right code initially than it’s to attempt to discover and restore defects downstream. I imply, right coding, high quality code, safe code, it’s troublesome to attain. And you really want to make use of all of the obtainable instruments and processes and self-discipline to get near reaching that. However yeah, an important factor is form of writing code securely to start with.

Gavin Henry 01:10:39 Thanks. If individuals need to discover out extra and discover a few of these issues we’ve chatted about, the place’s the perfect place to get in contact? You’re fairly lively on Twitter, is that the perfect place?

Robert Seacord 01:10:49 Effectively, I might be discovered on Twitter. I’ve a web site, RobertSeacord.com, I believe the place I’ve bought some errata for the Efficient C guide.

Gavin Henry 01:11:04 I believe you’ll want to replace your SSL certificates as I used to be taking a look at it final week and it was complaining that it was insecure of all issues. Okay. So your Twitter account and your web site.

Robert Seacord 01:11:16 You possibly can look there. I’m on LinkedIn, as nicely. I’m not very laborious to search out, I don’t have any handles anyplace.

Gavin Henry 01:11:25 I assume it’s @RCS on Twitter for those who need to go there right away. Okay. Robert, thanks for approaching the present. It’s been an actual pleasure. That is Gavin Henry for Software program Engineering Radio. Thanks for listening. [End of Audio]