[Cryptography] Paranoia for a Monday Morning
Bill Frantz
frantz at pwpconsult.com
Tue Oct 28 16:58:46 EDT 2014
On 10/27/14 at 4:37 PM, leichter at lrw.com (Jerry Leichter) wrote:
>OK, Mozilla and Rust are a real effort with real publications.
Let's not underestimate the value of "secure" languages in
improving the security of systems. Indeed they are not a
panacea, but they can effectively eliminate common problems such
as buffer overrun and use after free. One of the strengths of
Firefox is the large body of code that is in Javascript, a
secure language.
Indeed, as a friend says, "You can write Fortran in any
language.", but a secure language makes the secure way the easy way.
The immediate question is, why do we still write security
sensitive code in C? (Or other insecure languages like C++.)
IMHO, some of the reason is in trying to interface with an
infrastructure built on C programs and designed for C calling
conventions. If any of the secure systems programming languages,
like Rust, can get enough of a toe hold in the sea of C
conventions, perhaps we can, at least, make the successful
attacks more interesting than the same-old same-old of buffer
overrun and use after free.
Cheers - Bill
--------------------------------------------------------------
Bill Frantz | There are now so many exceptions to the
408-356-8506 | Fourth Amendment that it operates only by
www.pwpconsult.com | accident. - William Hugh Murray
More information about the cryptography
mailing list