[Cryptography] defaults, black boxes, APIs, and other engineering thoughts

John Gilmore gnu at toad.com
Mon Jan 6 15:13:22 EST 2014


> +1 on the competition approach, all the above.
> 
> Why not narrow it down?  PDF however is a huge project.  Pick the one 
> thing that we all seem to revert to in any secure code discussion:
> 
>        buffer overflows in C.
> 
> Design the mod to current C language/libraries that best addresses the 
> syndrome.

This has already been done.  No change to the C language or libraries
is required; the ANSI C committee was diligent in defining the
language to only work when your reach didn't exceed your grasp.

"Saber C" and "valgrind" already implement this.  Saber C is now known
as CodeCenter, and its C++ variant is ObjectCenter.  It is a
commercial product of Integrated Computer Solutions, which bought it
from Centerline Software and now seems to have stuck it on a shelf:

  https://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15211/spring.96/www/tutorial.html
  http://motif.ics.com/products/codecenter  

> Open competition.  No rules.  Big prize of open endowment for 
> academic/research project...  (Format already known & practiced.)

You will need rules.  If only that "the awarding of the prize will
be at the entire discretion of XXXX".  Else we'd just be handing
the prize to a twenty year old compiler (CodeCenter) that's sitting
on a dusty shelf without anyone using it.

> Anyone got a spare mil?

I may know where one can be found, for a good competition.

	John


More information about the cryptography mailing list