[Cryptography] bounded pointers in C
Nemo
nemo at self-evident.org
Sat Apr 19 13:54:25 EDT 2014
Jerry Leichter <leichter at lrw.com> writes:
> On Apr 19, 2014, at 1:21 AM, Nemo <nemo at self-evident.org> wrote:
>> In C++, it is trivial to create "SafeInt" and "SafeArray" classes that
>> overload addition and dereference, respectively, so that expressions
>> like "x+y" check for overflow and expressions like "a[n]" check for
>> out-of-bounds access. That so many programmers write security-sensitive
>> code without using such simple idioms is hardly the fault of the
>> language.
> Almost - and the "almost" is what stops people. Yes, you can have a
> SafeInt, and it will "work" in most cases. But you can't, for
> example, have SafeInt constants. So you can't have switch statements
> that switch on SafeInt.
Of course you can have SafeInt constants, just like you can have any
other type of const object:
static const SafeInt twelve(12);
You can also provide an implicit cast-to-int operator that will let you
use your SafeInt in a "switch" statement.
Live example: http://goo.gl/ds4AZx
Since int and SafeInt can cast to/from each other transparently, it is
easy to imagine converting an existing code base from to the other
incrementally.
> The built-in types have all kinds of special properties (the standard
> numeric conversions, for example) that a user-defined class can't
> imitate, but which are a fundamental part of the way C++ code is
> written.
Perhaps there are useful properties of "int" that "SafeInt" cannot
imitate, but your examples so far do not demonstrate any.
> Defining effective array-like classes is easier because arrays have
> much more limited inherent semantics. The traditional issue has been
> the lack of a way to write down a constant of an array-like class, as
> you can an array (though only in limited contexts, i.e.,
> initializers). I haven't gotten into the details of C++11, but I
> gather this has gotten a bit easier.
This is not just easier in C++, but trivial. C++11 introduces
"initializer list constructors", so filling any container (array,
vector, set, etc.) with constants is expressed as easily as built-in
array/struct initialization in legacy C/C++.
Good workmen never quarrel with their tools.
- Nemo
https://self-evident.org/
More information about the cryptography
mailing list