[Cryptography] Paranoia for a Monday Morning

Bill Frantz frantz at pwpconsult.com
Tue Oct 28 16:58:46 EDT 2014


On 10/27/14 at 4:37 PM, leichter at lrw.com (Jerry Leichter) wrote:

>OK, Mozilla and Rust are a real effort with real publications.

Let's not underestimate the value of "secure" languages in 
improving the security of systems. Indeed they are not a 
panacea, but they can effectively eliminate common problems such 
as buffer overrun and use after free. One of the strengths of 
Firefox is the large body of code that is in Javascript, a 
secure language.

Indeed, as a friend says, "You can write Fortran in any 
language.", but a secure language makes the secure way the easy way.

The immediate question is, why do we still write security 
sensitive code in C? (Or other insecure languages like C++.) 
IMHO, some of the reason is in trying to interface with an 
infrastructure built on C programs and designed for C calling 
conventions. If any of the secure systems programming languages, 
like Rust, can get enough of a toe hold in the sea of C 
conventions, perhaps we can, at least, make the successful 
attacks more interesting than the same-old same-old of buffer 
overrun and use after free.

Cheers - Bill

--------------------------------------------------------------
Bill Frantz        | There are now so many exceptions to the
408-356-8506       | Fourth Amendment that it operates only by
www.pwpconsult.com | accident.  -  William Hugh Murray



More information about the cryptography mailing list