[Cryptography] [FORGED] Re: How programming language design can help us write secure crypto code
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Nov 1 22:27:36 EST 2015
Bill Frantz <frantz at pwpconsult.com> writes:
>My first reaction was, of course we are defining a pre-condition for the
>correct execution of my_memcpy. The compiler will try to prove the parameters
>are not null and generate warnings if it could not complete these proofs.
That is actually how a number of the other gcc attributes work. For example
__attribute__ (( format ( printf, 2, 3 ) )) tells gcc to check the function as
a printf-style function, __attribute__ (( format_arg ( 2 ) )) tells gcc to
check the value as a printf-style format specifier, __attribute__ (( unused ))
tells gcc that a warning for an unused parameter isn't required for this
value, and __attribute__ (( warn_unused_result )) tells gcc to warn if you
don't use the return value of the function.
The latter is another gcc gem, it typically doesn't warn if you don't use the
result because the warning is generated at a different level than the data
flow analysis so it can't tell whether the result is used or not (assigning
the return value to a dead variable is enough), but then it also doesn't allow
a void cast to silence it in cases where you don't care about the return
value. So something like:
( void ) fread( ... );
which has been valid at least since lint was introduced in 1979 will still
produce a warning about an unused result. Vast avalanches of them in some
projects, so that you have to turn the check back off again.
Peter.
More information about the cryptography
mailing list