[e-lang] An attack on a mint

David Wagner daw at cs.berkeley.edu
Tue Mar 4 18:24:07 EST 2008


Tyler Close writes:
>Suppose a rewrite like:
>
>    int take(final PurseX src) {
>           if (dead) { throw new NullPointerException(); }
>           if (src.dead) { throw new NullPointerException(); }
>
>           // subtract the credits from the source
>           final int r = src.balance;
>           src.balance = 0;
>
>           // add the credits to the destination
>           balance += r;
>
>           return r;
>       }
>
>Is such a layout sufficient to discourage reversion to the previous state?

Well, I don't quite see how this helps.  I doubt it would be enough to
save me from myself.  Those comments wouldn't cue me in on the security
implications of aliasing src to this.

Frankly, when I read those comments, my brain skips across them, because
my first reaction is to interpret them as akin to the canonical example:
  i = i+1; // increment i
My reaction was that the comments tell me what the code is doing (which
I can already tell just by looking at the code) rather than why it is done
that way and mustn't be done some other way.  I tend to push those kinds
of comments out of mind, because (a) they don't tell me anything new,
and (b) I can't trust them anyway.

I don't have a better solution.  To protect me from myself, I suspect
the comments would either have to provide something to wake me up to
force me to think separately about the case src==this, or would have
to say something like "Don't change this code, you dummy -- it's more
subtle than you think!".


More information about the e-lang mailing list