[Cryptography] [FORGED] Re: How programming language design can help us write secure crypto code
Thierry Moreau
thierry.moreau at connotech.com
Sat Oct 31 22:35:30 EDT 2015
On 01/11/15 01:29 AM, Peter Gutmann wrote:
> Thierry Moreau <thierry.moreau at connotech.com> writes:
>
>> Now I am teaching programming subtleties to Peter ...
>
> Not really, if you know how gcc works then it happens because the warnings are
> issued by the front-end before data flow analysis occurs (so cases of
> inadvertent NULL pointer use are missed) but then the optimiser later applies
> the annotation to mean that the value can never be NULL.
>
I doubt the gcc data flow analysis phase is devoid of a warning issuance
facility. But I expect the data flow analysis to be less than perfect in
identifying conditions that would bring a NULL pointer to the function call.
> This is about as useful a response as saying "well, there's a race condition
> where, if the operator is entering data as the counter overflows, the beam
> spreader plate isn't rotated into place and therefore you get hit with X-rays
> at 25MeV, that's why your uncle died. Quite straightforward really".
>
Well, if you depend on a compiler for the potentially dramatic
consequences of "inadvertently missed NULL pointers" (I assume it is the
programmer who missed a NULL pointer condition in the software logic but
you depend on the compiler to catch it), your development process might
be questioned.
> This is more or less the gcc developers' response, they explained in great
> detail why gcc does what it does without making an attempt to fix it. When I
> asked them to at least update the docs to reflect what would actually happen
> when you used the annotation, they ignored the request.
>
> The reason why I asked for other peoples' interpretations of what the
> annotation did was because I wanted to see what the typical developer would
> think happened when they used it. As I mentioned earlier, from the small
> sample of people I've talked to about it, they were under the impression that
> it would warn them about inadvertent use of NULL pointers. At least one major
> OSS project discontinued use of the annotation after finding out what it
> really did. I've defined it to a no-op in my code, it's literally worse than
> useless, it has negative value.
>
Ah! Indeed a mission-critical piece of software logic would hardly use a
compiler switch that allows an explicit preventive programming provision
to be optimized away without a trustworthy data flow analysis. Isn't
this a basic precaution from the compiler *user*?
> (gcc is full of latent pathogens like this one).
>
These words are yours. I find them counterproductive.
- Thierry
More information about the cryptography
mailing list