[e-lang] Ivan Krstic on Language Security

Toby Murray toby.murray at comlab.ox.ac.uk
Tue Mar 10 04:14:34 EDT 2009 

People might be interested in a fairly humorous post by Ivan Krstic on
language security:

http://radian.org/notebook/languages-and-security-reading

To quote:

> If I had to grossly overgeneralize, I’d say people looking at language
> security fall in roughly three schools of thought:
> 
>      1. The “My name is Correctness, king of kings” people say that
>         security problems are merely one manifestation of
>         incorrectness, which is dissonance between what the program is
>         supposed to do and what its implementation actually does. This
>         tends to be the group led by mathematicians, and you can
>         recognize them because their solutions revolve around proofs
>         and the writing and (automatic) verification thereof.
>      2. The “If you don’t use a bazooka, you can’t blow things up”
>         people say that security problems are a byproduct of exposing
>         insufficiently intelligent or well-trained programmers to
>         dangerous language features that don’t come with a safety
>         interlock. You can identify these guys because they tend to
>         make new languages that no one uses, and frequently describe
>         them as “like popular language X but safer”.
>      3. The “We need to change how we fundamentally build software”
>         people say that security problems are the result of having
>         insufficiently fine-grained methods for delegating individual
>         bits of authority to individual parts of a running program,
>         which traditionally results in all parts of a program having
>         all the authority, which means the attack surface becomes a
>         Cartesian product of every part of the program and every bit
>         of authority which the program uses. You can spot these guys
>         because they tend to throw around the phrase
>         “object-capability model”.
> 
> Now, while I’m already grossly overgeneralizing, I think the first
> group is almost useless, the second group is almost irrelevant, and
> the third group is absolutely horrible at explaining what the hell
> they’re talking about.

God help those of us who fall into more than one of these groups ;)

Cheers

Toby

More information about the e-lang mailing list