[Cryptography] how reliably do audits spot backdoors?

Phillip Hallam-Baker hallam at gmail.com
Sun Dec 29 08:42:25 EST 2013 

On Sat, Dec 28, 2013 at 5:04 AM, James A. Donald <jamesd at echeque.com> wrote:

> On 2013-12-26 17:37, ianG wrote:
>
>> I do it all in Java.  Once, when I did a port from Java to various
>> languages, it took 5 times longer to get it into C as opposed to various
>> OO languages (PHP, Perl).
>>
>
> Transating to C, you have to add your own memory management code, which is
> a large part of any C program, hence the much longer C translation times.
>

You don't have to, most developers don't.

My garbage collection routine is 50 lines of code that cause collection of
all child objects when a parent object is destroyed. That is adequate for
most server type applications.


But what I see as typical C application behavior is that they grab chunks
of memory and never release any.

So even though I have 4Gb of RAM on my 7 year old machine, I am having to
consider upgrading because Chrome will grab 2Gb all by itself.

Oh they do things like ensure that they never take more than 50% of the
memory on the machine but that strategy does not work when you have three
programs running.


This should not be a problem on an O/S with fine grained security. But it
is because the security mechanisms don't actually control what I want them
to control. I want to give memory quotas to particular applications. I want
to limit access to data in ways that ACLs don't support.

Butler Lampson says there should only be one copy of an ACL and everything
should link to it. I think that is part of what is needed. Security
policies should be named first class objects in the system and it should be
possible to apply them to applications

Instead of a process running under the privileges of its account owner, it
should run under privileges specified by a named policy and the account
owner should have a choice between a manageably small number of policies.


So for most of my machines I would only have the 'game' and 'document'
policies in use. A game does not need to connect to any data it did not
create itself, it does not need access to my documents in particular. The
document policy would be for office, openoffice, etc. On some machines I
would have code running under the developer policy.



> Modern C++ has some tools that substantially automate memory management
> and  type management, but you still have to think about memory management,
> while Java does it all for you.
>
> Perl, Java, and PHP are all memory managed languages, so translation from
> Java to Perl or PHP is straightforward.
>

My experience is that code written in a managed language tends to be a lot
better behaved than code written in C. Which is one of the reasons I use C#.

It might be possible for a first class programmer to do better themselves.
But most code is written by third or fourth class programmers and the
machine can code much better than they can.


C++ has the wonderfully powerful template system.  Unfortunately, the
> template system is apt to produce gigantic error messages whose sheer size
> makes them difficult for anyone to comprehend.  But you can do things with
> templating that you cannot do in any other language except lisp.  In this
> sense, C++ is the highest level language of them all, except for lisp, as
> well as being the lowest level language of them all.


C# has generic types and lambda expressions these days. The implementation
is a lot more stable than my experience of C++ (which was admittedly a
decade ago)

Microsoft acquired much of the old Digital engineering staff and they
brought all the tools that had their origin in Genera, the LISP Machine
environment.




-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131229/345cb19a/attachment.html>

More information about the cryptography mailing list