[Cryptography] bounded pointers in C
Jerry Leichter
leichter at lrw.com
Fri Apr 18 13:22:02 EDT 2014
On Apr 18, 2014, at 8:53 AM, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:
> Now if C had proper bounded pointers for strings and arrays, then using malloc and memcpy would throw out a big flag - why on Earth are you using this dangerous stuff instead of the nice safe string/array commands? - but as C doesn't have nice safe string/array commands ...
I've always thought that Modula-3 had the right idea: It supported two "worlds" at the same time. Most code only had access to a GC'ed, fully safe, memory allocator. But there were a set of "unsafe" operations, including a complete equivalent of malloc/free and low-level access equivalent to C. You could only use this in modules explicitly marked with the UNSAFE keyword. The Modula-3 GC could be (and was) written in Modula-3, as a (partially) UNSAFE module.
A couple of years later, there was an OS project - called, I think, SPIN - that built the entire OS in Modula-3. They used only a tiny amount of UNSAFE code. One area that's often full of bit-twiddling and type munging is network code, where you somehow need to convert a bag-of-bytes into some typed object. The SPIN team added an interesting primitive: "Here's a bag-of-bytes with the same size as an object of type X. View it as an object of type X." This was legal only if every field in X, recursively, had a type for which any bit pattern was legal. (I'd guess - but don't know - that you could have enum type values, with the compiler inserting a check that what was in the buffer as a enumerated value was actually legal. It may have done this for some other types as well - e.g., there was a CARDINAL type which was a subset of INTEGER and consisted only of the non-negative values.)
Many of the ideas in Modula-3 made it into Java, though the UNSAFE operations did not. (Native code badly fulfills the same role.) I believe C# went back to the same well and *did* include something much like Modula-3's UNSAFE code and non-GC'ed memory hierarchy. Beyond those influences, however, both Modula-3 and SPIN died.
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140418/73e4768e/attachment.bin>
More information about the cryptography
mailing list