[Previous entry: "Apparently, you can patent just about anything."] [Next entry: "More on Sony's DRM"]

11/10/2005: "History's Worst Software Bugs (Updated)"

Simon Garfinkel of Wired is writing a good three part series on bugs. The first part is a list of what he considers to be history's worst software bugs. Everybody who writes software should pay close attention to the kinds of things, because this is the kind of experience that would be wise to learn second hand instead of first hand.

The second part is about battling bugs. One of the things he noted, which I would agree with, is that "type safe" languages (such as Java or Python) are inadequate to protect against all bugs -- they simply move problems from one class of bugs to another. I would like to argue that hiding code behind increasing layers of abstractions also makes bugs harder to fully eradicate once they are discovered.

The third part is about a so-called secret bug squasher called the "Static Driver Verifier" developed by Microsoft. The SDV is a tool targeted at driver developers, and does static (compile-time) analysis of the sources to make sure the driver isn't doing something detectably wrong. A related tool, called sparse, was written by Linus Torvalds for the Linux kernel to do higher-than-C level type analysis. In its present form it appears to be catching some of the same kinds of bugs as SDV claims to. Such automated verification is a great thing to have, but it remains very hard to catch higher level design issues.

The article closes with an interesting and very true quote from Jack Danahy (the founder of Ounce Labs, a company that makes a semantics validator): "Most of the security risks that people face are not just bugs -- they're decisions that programmers made."