[Cryptography] Use Linux for its security

Ron Garret ron at flownet.com
Sat Oct 1 11:25:29 EDT 2016 

On Oct 1, 2016, at 2:26 AM, Florian Weimer <fw at deneb.enyo.de> wrote:

> * Henry Baker:
> 
>> I've had a long-standing complaint with Common Lisp -- even though it is
>> technically a buffer-overflow-free zone --
> 
> Actually, it's not.  Common Lisp does not mandate bounds checking for
> AREF or SVREF.

At least CL *tries* to get this right.  Yes, it is true that on a strict language-lawyerly-reading of the spec, passing invalid arguments to aref (or subseq) results in undefined behavior.  But it is universally understood among all CL compiler writers and consumers that when (optimize (safety 3)) is in effect that dereferencing an out-of-bounds array index will result in a run-time error.  And if you want to be a language lawyer, you can use array-in-bounds-p (http://www.lispworks.com/documentation/HyperSpec/Body/f_ar_in_.htm) to 100% guarantee that your array references are safe.

BTW, the only reason that CL doesn’t get this completely right is that the committee ran out of money before they could address it.  It was on their radar.

http://www.lispworks.com/documentation/HyperSpec/Issues/iss332_w.htm

> One can hope that most implementations perform it by default,

One can do more than hope.  AFAIK there is not a single CL implementation where this is not the case.

> but for those implementation with optimizing compilers, it
> can be easily switched off.

You say that as if it’s a bad thing, but this flexibility is generally considered a feature, not a bug.  Here again, CL excels, allowing one to explicitly trade off various incommensurate dimensions in the software quality space (speed, safety and debuggability).  C compilers typically only give you control over a single optimization dimension.

> The language rules even say that if a
> supposedly-safe function is called from a function compiled without
> safety checks, the safety checks in the called functions do have to be
> performed (so safety is not modular).

What???  Where does it say that?

> The main difference to C is that Common Lisp arrays have an explicit
> length, which makes bounds checks easy to implement, either manually
> or automatically by the compiler.

What actually matters is that Lisp does not have first-class pointers, so it is *possible* to do automatic bounds checking, which makes code significantly safer.  In C this is not possible.

rg

More information about the cryptography mailing list