[Cryptography] Use Linux for its security

[Florian Weimer]

* Ron Garret:

> BTW, the only reason that CL doesn’t get this completely right is that
> the committee ran out of money before they could address it.  It was
> on their radar.
>
> http://www.lispworks.com/documentation/HyperSpec/Issues/iss332_w.htm

Along with writable literals, I suppose. :-/

GCC got rid of them how many years ago?  20?  And that is with kernel
enforcement on most system.  Ocaml is phasing them out as well.

>> One can hope that most implementations perform it by default,
>
> One can do more than hope.  AFAIK there is not a single CL
> implementation where this is not the case.

Again, then why wasn't it standardized, along with a suitable error
condition?

>> but for those implementation with optimizing compilers, it
>> can be easily switched off.
>
> You say that as if it’s a bad thing, but this flexibility is generally
> considered a feature, not a bug.

It leads to developers switching of safety checks because they know
their code is bug-free (they wrote it, after all), and it's also the
most important part of the system and users cannot afford to have it
drag down the whole system.

>> The language rules even say that if a
>> supposedly-safe function is called from a function compiled without
>> safety checks, the safety checks in the called functions do have to be
>> performed (so safety is not modular).
>
> What???  Where does it say that?

It appears that safe code is only safe if it is evaluated as part of a
safe call.

>> The main difference to C is that Common Lisp arrays have an explicit
>> length, which makes bounds checks easy to implement, either manually
>> or automatically by the compiler.
>
> What actually matters is that Lisp does not have first-class pointers,
> so it is *possible* to do automatic bounds checking, which makes code
> significantly safer.  In C this is not possible.

Address Sanitizer almost does it for C.  It is possible there as well.
(The “almost” part refers to the limited size of the red zone.)