[Cryptography] "NSA-linked Cisco exploit poses bigger threat than previously thought"

Jerry Leichter leichter at lrw.com
Thu Aug 25 06:21:37 EDT 2016 

[Description of cool features in Rust.  I'm really going to have to go look at it now]
> What other languages are suitable for "I need every drop of performance and control", yet are this safe? Serious question. A question we should be asking.
Many of the ideas in Rust that you describe seem to have evolved (or were independently reinvented - I have no idea) from Modula-3.  Small, fast, extensively type-checked, ability to explicitly write unsafe code.  All there.

The Modula-3 guys had an interesting approach to keeping the language small:  The designers agreed up front to a page limit on the language reference manual. Once they reached the limit (I think it was 75 pages), anyone proposing to add something had to first remove something else to make room.  (Wouldn't it be nice if, say, the IRS Code were subject to a similar requirement?)

One thing Modula-3 had which Rust didn't:  A GC.  But it approached things in a unique way.  All reference objects ultimately descended from one of two roots - say Object and Address.  Descendants of Object were GC'ed; descendants of Address were not.  Only Unsafe code could perform hazardous operations on Address's.  The GC could be, and was, written in the language itself, using Unsafe operations.

There was an experiment done to develop an OS entirely in Modula-3 - I think it was called Spin.  No assembly help *at all*.  It turned out that it needed one extension to the language:  When you're writing something like network code, you  have to take an array of raw bytes and turn it into a TCP packet with a known structure.  In C, of course, you simply cast the pointer - completely unsafe.  The extension to Modula-3 added something that was like a cast - but it only allowed casting to a type with the property that all its members, recursively, had types in which any bit pattern was legal.  So the result of such a cast was definitely a legal object of the cast-to type.  (Of course, the compiler couldn't check dynamic properties - e.g., that fields that were supposed to be lengths made sense. e.g., didn't imply that an embedded field was longer than the packet it was in.  But the writer of the code could do that; array-bound checking ensured that at worst you got a checked failure.)

Modula-3 died many years ago, though in fact many of the ideas in Java clearly came from it.  If Rust or something similar catches on, Modula-3 could begin to rival Algol as a dead predecessor to a whole family of very live languages.

                                                        -- Jerry

More information about the cryptography mailing list