[SystemSafety] OpenSSL Bug
David Crocker
dcrocker at eschertech.com
Thu Apr 10 22:33:40 CEST 2014
The lack of strong typing in C (in particular, the lack of size
information when passing pointers to arrays between functions) is only
part of the issue. The other issue is whether or not array accesses are
bounds-checked. Much application software these days is written in Java
or C#, both of which perform array bounds checks at runtime. When
writing in C++, it is entirely possible to implement array bounds
checks, although sadly none of the standard container libraries in the
STL do this except sometimes in debug builds. Unfortunately, much
systems software continues to be written in C, a language which all but
encourages the programmer to leave out bounds checks and doesn't provide
a reasonable alternative to passing array pointers between functions.
I would like to see:
1. A move from C to C++ or other programming languages for
security-critical systems software (i.e. most of it);
2. Container lasses in the C++ standard library that include run-time
bounds checking;
3. Mandatory use of such classes and the banning of naked array pointers
(except in the implementation of such classes), OR formal verification
of the code to ensure that no array bounds violations take place.
David Crocker, Escher Technologies Ltd.
http://www.eschertech.com
Tel. +44 (0)20 8144 3265 or +44 (0)7977 211486
On 10/04/2014 20:06, Derek M Jones wrote:
> Peter,
>
>> There are people here who have defended the use of the programming
>> language C. Shame on you. Yes,
>
> Why pick on C? All language have their problems.
>
> Facebook have been doing good stuff to improve the reliability of PHP:
> http://shape-of-code.coding-guidelines.com/2014/03/24/hack-a-template-for-improving-code-reliability/
>
>
>> there are tools; there are reliable tools to check whether C programs
>> adhere to strong-typing
>
> There is no discontinuity that distinguishes weak/strong typing, it is
> a continuum. Good luck reaching general agreement on where to draw
> the line.
>
> I have worked in languages that have stronger typing than C and
> seen plenty of code in those languages where developers have failed
> to use the strong typing facilities available to them. Giving
> developers the tools does not mean they will use them (I am a fan
> of stronger typing than is available in C).
>
> Incidentally there is almost no empirical evidence for the benefits
> of using a language having stronger typing. There are a few studies
> using students on really small problems. Pointers to good studies
> welcome.
>
>> principles. Etc. AND THEY WERE NOT USED BY PEOPLE WHOM I HAVE UP TO
>> NOW TRUSTED. In other words, you
>> were lying to us about "good practice" amongst "SW developers" using C.
>
> and you are surprised by this (again why pick on just C)?
>
More information about the systemsafety
mailing list