[Cryptography] It's all K&R's fault
Benjamin Kreuter
brk7bx at virginia.edu
Sat Apr 19 18:10:54 EDT 2014
On Fri, 2014-04-18 at 18:54 -0400, Jerry Leichter wrote:
> And yet the fact of the matter is that some of the most reliable code
> out there is written in C.
This is a non-sequitur. Sure, it is *possible* to write reliable and
secure code in C, it is just difficult to do.
> What's important isn't the language as such, and it's been proven over
> and over again that it's possible to write unsafe code in any
> language.
"Possible" is not the same as "probable." I have far less confidence in
the security or reliability of C or C++ programs than programs written
in Haskell or ML. It's not that Haskell is a guarantee of security,
it's that the effort needed to avoid certain classes of errors is
substantially reduced.
> Java makes large classes of memory errors that have troubled C and C++
> for years impossible - but Java programs regularly die with null
> pointer exceptions and class cast errors.
Yeah, and C programs routinely die on segmentation faults. The
difference is that C programs also do not die when pointer arithmetic
goes wrong -- which is what we had with Heartbleed. In C and C++ you
can use pointers to break any higher-level abstraction; the effect is
that in addition to worrying about the correctness of your high-level
abstractions you must also worry about whether or not those abstractions
will even be respected. That makes the rest of the process of writing
secure and reliable code much harder (even if we ignore the plethora of
other undefined behaviors, many of which surprise programmers with years
of experience).
> For almost 60 years, we've been promising that, really, this new
> language will *finally* eliminate bugs and security problems - only to
> be disappointed.
"Eliminate" bugs is far too high a standard. Reducing the likelihood
that bugs will be created is not so hard to achieve -- we already
achieved it, and we got there decades ago.
At this point the problem with moving to better/safer languages is the
enormous and valuable ecosystem of C and C++ code. We are not going to
escape these languages any time soon.
-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140419/7e922cee/attachment.pgp>
More information about the cryptography
mailing list