[cap-talk] Confessions of a C programmer

Mike Samuel mikesamuel at gmail.com
Mon Sep 21 11:23:07 PDT 2009 

2009/9/21 Bill Frantz <frantz at pwpconsult.com>:
> daw at cs.berkeley.edu (David Wagner) on Sunday, September 20, 2009 wrote:
>
>>
>>Bill Frantz  wrote:
>>>My last major project was the web-key server for CapROS. Like most
>>>real-world programming, it faced a deadline. What I needed from a language
>>>was:
>>>
>>>  Familarity - I learn languages slowly, and time spent learning a new one
>>>  needs to be justified.
>>>
>>>  Reliability - I don't want to spend time debugging the compiler and I
>>>  really don't want to debug a code generator which changes the semantics
>>>  of my program.
>>>
>>>  Minimal environment - The compiler and runtime should not depend on
>>>  anything but the non-privileged architecture of the hardware platform.
>>>  All privileged instructions/system calls should come from library
>>>  routines[1].
>>>
>>>  Library routines for required subsystems - I needed a SSL/TLS
>>>  implementation and ended up using OpenSSL, which is written in C. Being
>>>  able to call C programs would cover a lot of this requirement.
>>>
>>>  Support for the target platform(s).
>>>
>>>The question is, what memory-safe languages even begin to meet these
>>>requirements?
>>
>>Does Java meet your requirements?
>
> Java fails on several grounds:
>
>  Excessively slow start up times.
>
>  Needs a file system to read class files and issue error messages for
>  uncaught exceptions.

I think the first part is true for the bootstrap classloader -- I'm
not familiar enough with the native JVM embedding APIs.  I'm pretty
sure the last part is not true; see
http://java.sun.com/j2se/1.5.0/docs/api/java/lang/Thread.html#setDefaultUncaughtExceptionHandler(java.lang.Thread.UncaughtExceptionHandler)

>  Does it support the ARM chip?
>
> Which is too bad, because it is a language I already know and like. It's
> string functions would make parsing HTTP protocol fairly pleasant. (C's use
> of NUL as a string terminator, making it's string functions unsuitable for
> parsing hostile input. I had to mostly roll my own.)
>
> BTW - We did think of a neat way to apply POLA to make the C implementation
> much safer. It uses an external object to look up the Swiss numbers
> contained in the web keys and relate them to computational objects (CapROS
> objects as well). By not giving the web server the privilege of enumerating
> the contents of that external object, it is in much the same position as an
> external user trying to guess a Swiss number. It does have the advantage of
> being able to check guesses faster, but more bits in the Swiss number can
> cover for that.
>
> This use of POLA means that someone that manages to change one instance of
> the server code can't leverage it into an attack on all the objects that
> are served by that server.
>
> Cheers - Bill
>
> -------------------------------------------------------------------------
> Bill Frantz        | Airline peanut bag: "Produced  | Periwinkle
> (408)356-8506      | in a facility that processes   | 16345 Englewood Ave
> www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos, CA 95032
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list