[cap-talk] Confessions of a C programmer

Bill Frantz frantz at pwpconsult.com
Mon Sep 21 00:18:02 PDT 2009 

daw at cs.berkeley.edu (David Wagner) on Sunday, September 20, 2009 wrote:

>
>Bill Frantz  wrote:
>>My last major project was the web-key server for CapROS. Like most
>>real-world programming, it faced a deadline. What I needed from a language
>>was:
>>
>>  Familarity - I learn languages slowly, and time spent learning a new one
>>  needs to be justified.
>>
>>  Reliability - I don't want to spend time debugging the compiler and I
>>  really don't want to debug a code generator which changes the semantics
>>  of my program.
>>
>>  Minimal environment - The compiler and runtime should not depend on
>>  anything but the non-privileged architecture of the hardware platform.
>>  All privileged instructions/system calls should come from library
>>  routines[1].
>>
>>  Library routines for required subsystems - I needed a SSL/TLS
>>  implementation and ended up using OpenSSL, which is written in C. Being
>>  able to call C programs would cover a lot of this requirement.
>>  
>>  Support for the target platform(s).
>>
>>The question is, what memory-safe languages even begin to meet these
>>requirements?
>
>Does Java meet your requirements?

Java fails on several grounds:

  Excessively slow start up times.
  
  Needs a file system to read class files and issue error messages for
  uncaught exceptions.
  
  Does it support the ARM chip?

Which is too bad, because it is a language I already know and like. It's
string functions would make parsing HTTP protocol fairly pleasant. (C's use
of NUL as a string terminator, making it's string functions unsuitable for
parsing hostile input. I had to mostly roll my own.)

BTW - We did think of a neat way to apply POLA to make the C implementation
much safer. It uses an external object to look up the Swiss numbers
contained in the web keys and relate them to computational objects (CapROS
objects as well). By not giving the web server the privilege of enumerating
the contents of that external object, it is in much the same position as an
external user trying to guess a Swiss number. It does have the advantage of
being able to check guesses faster, but more bits in the Swiss number can
cover for that.

This use of POLA means that someone that manages to change one instance of
the server code can't leverage it into an attack on all the objects that
are served by that server.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | Airline peanut bag: "Produced  | Periwinkle
(408)356-8506      | in a facility that processes   | 16345 Englewood Ave
www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos, CA 95032

More information about the cap-talk mailing list