[Cryptography] bounded pointers in C

Jerry Leichter leichter at lrw.com
Fri Apr 18 13:22:02 EDT 2014 

On Apr 18, 2014, at 8:53 AM, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:
> Now if C had proper bounded pointers for strings and arrays, then using malloc and memcpy would throw out a big flag - why on Earth are you using this dangerous stuff instead of the nice safe string/array commands? - but as C doesn't have nice safe string/array commands ...
I've always thought that Modula-3 had the right idea:  It supported two "worlds" at the same time.  Most code only had access to a GC'ed, fully safe, memory allocator.  But there were a set of "unsafe" operations, including a complete equivalent of malloc/free and low-level access equivalent to C.  You could only use this in modules explicitly marked with the UNSAFE keyword.  The Modula-3 GC could be (and was) written in Modula-3, as a (partially) UNSAFE module.

A couple of years later, there was an OS project - called, I think, SPIN - that built the entire OS in Modula-3.  They used only a tiny amount of UNSAFE code.  One area that's often full of bit-twiddling and type munging is network code, where you somehow need to convert a bag-of-bytes into some typed object.  The SPIN team added an interesting primitive:  "Here's a bag-of-bytes with the same size as an object of type X.  View it as an object of type X."  This was legal only if every field in X, recursively, had a type for which any bit pattern was legal.  (I'd guess - but don't know - that you could have enum type values, with the compiler inserting a check that what was in the buffer as a enumerated value was actually legal.  It may have done this for some other types as well - e.g., there was a CARDINAL type which was a subset of INTEGER and consisted only of the non-negative values.)

Many of the ideas in Modula-3 made it into Java, though the UNSAFE operations did not.  (Native code badly fulfills the same role.)  I believe C# went back to the same well and *did* include something much like Modula-3's UNSAFE code and non-GC'ed memory hierarchy.  Beyond those influences, however, both Modula-3 and SPIN died.
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140418/73e4768e/attachment.bin>

More information about the cryptography mailing list