[e-lang] Ivan Krstic on Language Security

Matej Kosik kosik at fiit.stuba.sk
Tue Mar 17 05:11:21 EDT 2009 

Toby Murray wrote:
> People might be interested in a fairly humorous post by Ivan Krstic on
> language security:
> 
> http://radian.org/notebook/languages-and-security-reading

Alas, the transcript of that talk is not available.

Some other well comprehensible talk (but with little new information).
http://futurezone.orf.at/stories/1500167/
What is interesting is perhaps only that some of the obvious truths he
states are systematically denied or obscured by other subjects.

> 
> To quote:
> 
>> If I had to grossly overgeneralize, I’d say people looking at language
>> security fall in roughly three schools of thought:
>>
>>      1. The “My name is Correctness, king of kings” people say that
>>         security problems are merely one manifestation of
>>         incorrectness, which is dissonance between what the program is
>>         supposed to do and what its implementation actually does. This
>>         tends to be the group led by mathematicians, and you can
>>         recognize them because their solutions revolve around proofs
>>         and the writing and (automatic) verification thereof.
>>      2. The “If you don’t use a bazooka, you can’t blow things up”
>>         people say that security problems are a byproduct of exposing
>>         insufficiently intelligent or well-trained programmers to
>>         dangerous language features that don’t come with a safety
>>         interlock. You can identify these guys because they tend to
>>         make new languages that no one uses, and frequently describe
>>         them as “like popular language X but safer”.
>>      3. The “We need to change how we fundamentally build software”
>>         people say that security problems are the result of having
>>         insufficiently fine-grained methods for delegating individual
>>         bits of authority to individual parts of a running program,
>>         which traditionally results in all parts of a program having
>>         all the authority, which means the attack surface becomes a
>>         Cartesian product of every part of the program and every bit
>>         of authority which the program uses. You can spot these guys
>>         because they tend to throw around the phrase
>>         “object-capability model”.
>>
>> Now, while I’m already grossly overgeneralizing, I think the first
>> group is almost useless, the second group is almost irrelevant, and
>> the third group is absolutely horrible at explaining what the hell
>> they’re talking about.
> 
> God help those of us who fall into more than one of these groups ;)
> 
> Cheers
> 
> Toby
> 
> _______________________________________________
> e-lang mailing list
> e-lang at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang
>

More information about the e-lang mailing list