[e-lang] An attack on a mint
Karp, Alan H
alan.karp at hp.com
Tue Mar 4 11:23:33 EST 2008
MarkM wrote:
>
> This brings us back to what's so scary about all this: when writing
> security code, even if you do write it correctly at first, the amount
> of rationale that needs to be captured per line of code is much
> greater than I can imagine being captured by any process people can
> use. Without capturing this rationale, we need some other form of
> cross-check to ensure that security isn't lost under maintenance -- as
> I have done here for one of my own most beloved and well examined
> examples.
>
Literate programming can help here, but programmers need the discipline of changing the vernacular before changing the code. That can be done but rarely is under time pressure. What about pragma assertions? They can be turned into compile time or run time checks of invariants.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the e-lang
mailing list