[Cryptography] I don't get it.

[Peter Fairbrother]

I  don't get it.

Apple has an unreachable code goto, and it hurts security. OpenSSL has a 
bounds check failure, and it hurts security (and even OpenBSD gets 
another hole).

(no, I am not a fan of Theo's security stance - but it has been better 
that most)

But as far as I can see, almost all of the big holes in the last ten 
years could have been caught by good code checkers.



I wonder who committed the OpenSSL heartbeat change.

I wonder whether anyone at all at OpenSSL thought about whether it would 
be more secure *not* to implement the heartbeat option in the first 
place. Or even if someone at any time thought about that.




Perhaps most of all, I wonder whether it would be a good idea to shoot 
all the gcc developers.


I am no expert in bugs, but it seems to me that about 99% of the 
reported security bugs and holes and so-on could be solved by having a 
secure checking compiler. Which checked for most of the known holes, or 
perhaps just even the top five.



A long long time ago, about 2002, I asked Ben Laurie for some advice 
about co-writers for security software. Amongst other things he said 
"don't let them us C++ - it's too powerful". The specific advice may 
have been meant only for me in my situation, but it contains a basic 
truth - languages are, or can be, too powerful.



So, perhaps a prechecker before the code goes to the compiler? To check 
security code (like OpenSSL) for the top five or ten holes?

Or best of all, I think we need better compilers. Better in the sense 
that they will only compile secure code. And which can prevent coders 
from doing bad things.

Coders are not gods, and it isn't illegal for a compiler to say "you 
can't do that".



-- Peter Fairbrother