[Cryptography] how reliably do audits spot backdoors?

andrew cooke andrew at acooke.org
Sun Dec 29 11:31:33 EST 2013


On Sat, Dec 28, 2013 at 03:16:30PM -0800, Jonathan Thornburg wrote:
> On Sat, 28 Dec 2013, Jerry Leichter wrote:
> > It really depends on what you're doing.  Java only *appears* to
> > do it all for you; while you can't get the traditional memory leak
> > (memory to which no accessible pointers exist), you can easily build
> > up piles of guck that's pointed to by hash table entries you forgot
> > to clean up, for example.  And the GC doesn't help you with non-memory
> > resources.  [[...]]
> 
> A related point, which seems relevant in view of the recent thread on
> whether all-integer-arithmetic-modulo-2^N is (paraphrasing) "logical"
> or "evil":
> 
> In C, signed-integer size and overflow semantics are a "quality of
> implementation" issue, i.e., a C compiler is allowed-but-not-required
> to trap signed integer overflow.  E.g., gcc supports the '-ftrapv'
> option which generates traps for signed overflow on addition, subtraction,
> and multiplication operations.  C unsigned integers have (guaranteed)
> modulo-2^N arithmetic semantics.
> 
> In Java, ONLY 32-bit signed integers are available; there are NO unsigned
> integers and no 64-bit (or other-length) integers available.  Moreover,
> integer overflow checking is forbidden, i.e., if you take i = 2147483647
> and add one to it, the result is REQUIRED to be -2147483648.
> 
> In C++, native integers are the same as C, but the language permits one
> to define (say) an integer-with-guaranteed-overflow-checking class; other
> code can then rely on overflows being caught.

Go is better - http://golang.org/ref/spec#Integer_overflow - for unsigned
values (recent code from Google / Adam Langley seems to use Go).

Julia is similar -
http://docs.julialang.org/en/release-0.2/manual/integers-and-floating-point-numbers/#overflow-behavior
- but also specifies signed behaviour (Julia is IMHO becoming a pretty nice
language - in many ways it is high-level and "dynamic", but when the rubber
meets the road you can get fixed (known memory size) types and fast
performance.  I have been using it while learning a little about block ciphers
and it's worked nicely.

Andrew



More information about the cryptography mailing list