[Cryptography] defaults, black boxes, APIs, and other engineering thoughts

ianG iang at iang.org
Wed Jan 8 02:10:15 EST 2014 

On 6/01/14 23:13 PM, John Gilmore wrote:
>> +1 on the competition approach, all the above.
>>
>> Why not narrow it down?  PDF however is a huge project.  Pick the one
>> thing that we all seem to revert to in any secure code discussion:
>>
>>         buffer overflows in C.
>>
>> Design the mod to current C language/libraries that best addresses the
>> syndrome.
>
> This has already been done.  No change to the C language or libraries
> is required; the ANSI C committee was diligent in defining the
> language to only work when your reach didn't exceed your grasp.
>
> "Saber C" and "valgrind" already implement this.  Saber C is now known
> as CodeCenter, and its C++ variant is ObjectCenter.  It is a
> commercial product of Integrated Computer Solutions, which bought it
> from Centerline Software and now seems to have stuck it on a shelf:
>
>    https://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15211/spring.96/www/tutorial.html
>    http://motif.ics.com/products/codecenter


Yes but.  I already implemented a library to replace the strevil, and so 
did half the people here.  Like those above, they sit on the shelf, much 
dust and sagging is our only reminder.

We all failed -- is the point.

Why?  probably because we were divided in our solutions, and the 
committee bendeth to the volume of our consensus.

What better way to achieve the consensus?


>> Open competition.  No rules.  Big prize of open endowment for
>> academic/research project...  (Format already known & practiced.)
>
> You will need rules.  If only that "the awarding of the prize will
> be at the entire discretion of XXXX".


Yes, true.  I was more referring to the rules that burden the thoughts 
not those that shackle the winner.

> Else we'd just be handing
> the prize to a twenty year old compiler (CodeCenter) that's sitting
> on a dusty shelf without anyone using it.


Well, if it got it into use, it's be worth the prize.  There's less 
honour in ya10kloc, more in crash-proof apps.


>> Anyone got a spare mil?
>
> I may know where one can be found, for a good competition.


Ah, there's that word, 'good' ... the solution to buffer overflows 
'good' enough?  Or is there a better?

Or, if belief is keen, make an offer for CodeCenter.  Make it open source.



We know how to do it, individually.  We as a community or internet have 
singularly failed to do it.



iang

More information about the cryptography mailing list