[e-lang] Ivan Krstic on Language Security

Mark Miller erights at gmail.com
Thu Mar 12 22:52:38 EDT 2009 

Spawned a good discussion of ocaps on LtU:
http://lambda-the-ultimate.org/node/3230

On Tue, Mar 10, 2009 at 1:14 AM, Toby Murray
<toby.murray at comlab.ox.ac.uk> wrote:
> People might be interested in a fairly humorous post by Ivan Krstic on
> language security:
>
> http://radian.org/notebook/languages-and-security-reading
>
> To quote:
>
>> If I had to grossly overgeneralize, I’d say people looking at language
>> security fall in roughly three schools of thought:
>>
>>      1. The “My name is Correctness, king of kings” people say that
>>         security problems are merely one manifestation of
>>         incorrectness, which is dissonance between what the program is
>>         supposed to do and what its implementation actually does. This
>>         tends to be the group led by mathematicians, and you can
>>         recognize them because their solutions revolve around proofs
>>         and the writing and (automatic) verification thereof.
>>      2. The “If you don’t use a bazooka, you can’t blow things up”
>>         people say that security problems are a byproduct of exposing
>>         insufficiently intelligent or well-trained programmers to
>>         dangerous language features that don’t come with a safety
>>         interlock. You can identify these guys because they tend to
>>         make new languages that no one uses, and frequently describe
>>         them as “like popular language X but safer”.
>>      3. The “We need to change how we fundamentally build software”
>>         people say that security problems are the result of having
>>         insufficiently fine-grained methods for delegating individual
>>         bits of authority to individual parts of a running program,
>>         which traditionally results in all parts of a program having
>>         all the authority, which means the attack surface becomes a
>>         Cartesian product of every part of the program and every bit
>>         of authority which the program uses. You can spot these guys
>>         because they tend to throw around the phrase
>>         “object-capability model”.
>>
>> Now, while I’m already grossly overgeneralizing, I think the first
>> group is almost useless, the second group is almost irrelevant, and
>> the third group is absolutely horrible at explaining what the hell
>> they’re talking about.
>
> God help those of us who fall into more than one of these groups ;)
>
> Cheers
>
> Toby
>
> _______________________________________________
> e-lang mailing list
> e-lang at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang
>



-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM

More information about the e-lang mailing list