Insecure Macho Love
started 4/5/2003; 9:46:09 AM - last post 4/12/2003; 7:57:28 AM
|
|
Patrick Logan - Insecure Macho Love
4/5/2003; 9:46:09 AM (reads: 1499, responses: 22)
|
|
|
Noel Welsh - Re: Insecure Macho Love
4/8/2003; 2:57:49 AM (reads: 1501, responses: 1)
|
|
It appears to be the case. Witness the recent buffer overflow error in Samba:
http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
Arguably this is an application that should be written in a compiled language, as throughput is critical. Unfortunately there aren't many good alternatives to C in this space - O'Caml is probably the best.
|
|
Ehud Lamm - Re: Insecure Macho Love
4/8/2003; 3:48:40 AM (reads: 1546, responses: 0)
|
|
there aren't many good alternatives to C in this space
Huh?
|
|
Noel Welsh - Re: Insecure Macho Love
4/8/2003; 6:24:11 AM (reads: 1506, responses: 3)
|
|
I was trolling. No, seriously, if you were to build an operating system service out of the currently available tools, what would you use? I don't mean if you were to start a research project to build the tools to build the service. I mean if you actually wanted to take the shortest path between nothing, and say, a working SMB server (i.e. Samba). O'Caml is the only language I know apart from C that provides the low-level support necessary to do this, whilst still being significantly better than C.
PS: I'm not being facetious
|
|
Ehud Lamm - Re: Insecure Macho Love
4/8/2003; 6:50:11 AM (reads: 1527, responses: 0)
|
|
I think most languages are significantly better than C (take Ada for example).
However, I'd choose C, of course, seeing as everybody else uses it and that surely means it's the best language around.
Come to think of it, I think I'd choose Java. There is so much research on making Java efficient, it must be the fastest language around..
|
|
andrew cooke - Re: Insecure Macho Love
4/8/2003; 7:00:52 AM (reads: 1539, responses: 1)
|
|
Cyclone would look like an improvment over C, but surely Erlang would be an obvious choice for anything serverish. And any language that compiles via C would allow you to hook into C (only) when necessary (so you could use Mercury and be the first on the block to have a declarative samba server ;o).
And then there's ADA, but I'm sure others here can make a better case than me....
|
|
Frank Atanassow - Re: Insecure Macho Love
4/8/2003; 8:50:40 AM (reads: 1504, responses: 0)
|
|
From the article:
There is also a macho streak in programmers: a tendency to believe that one's own code is well-written, and a corresponding belief that real coders, like fighter pilots, work as close as possible to the bare metal
Interesting analogy. I think of a modern fighter pilot as the closest thing we have to a cyborg: about as far away from bare metal as you can get. For me, `bare metal' conjures up images of that guy who stands in the engine of a train, shoveling coal into the furnace.
|
|
Noel Welsh - Re: Insecure Macho Love
4/8/2003; 8:51:39 AM (reads: 1488, responses: 0)
|
|
Erlang - of course. A momentary lapse of reason.
|
|
Matt Hellige - Re: Insecure Macho Love
4/8/2003; 8:54:54 AM (reads: 1568, responses: 0)
|
|
I second both OCaml and Erlang. Haskell's certainly an option as well, if you're so inclined. But none of these address one of the most fundamental problems: C is ubiquitous. And in the open-source community, that can make all the difference between your project being popular or not. And popularity is important. If no one uses your Samba server but you, no one will be there to help you maintain and extend it, no one will be there to find bugs, and so on. Also, the net will still be populated by buggy Samba servers with rampant buffer overflows, and being able to sit on your secure machine and say "I told you so" will probably be pretty cold comfort.
I realize that this is a chicken/egg problem, but it's one that is really very significant, and it can be solved. Python is now almost as widely installed as perl or gcc, and in fact is more widely installed than previously accepted tools like bash/sed/awk. It's hard to say how this happened, but if you look at the history, it seems to happen a lot more often with interpreters than with compilers, and my suspicion is that the best (only?) way to acheive compiler ubiquity is to sneak a compiler in with a "scripting" language.
Until people can download and build their project (preferably more or less automatically with autoconf or similar) without first having to download and build the (probably huge) compiler, many (I would guess most) open source programmers would not consider a development tool a serious option. Unless, of course, the compiler is small enough to be distributed in a platform-neutral form with the project source (as is often the case for parser generators or tools of similar heft). Incidentally, this pretty much means the compiler must be written in C (or a ubiquitous scripting language).
I honestly think this issue is almost as important as language issues per se. If I were undertaking a new project, particularly a server project (samba, an SMTP server, a web server, etc.) I would honestly be quite torn between choosing a "decent" compiled language (like Erlang, OCaml, Bigloo Scheme) and a ubiquitous scripting language (probably Python), in the trust that while my Python program would probably be buggier at first, the advantage of having lots of users, especially users who could also help out with the code, would more than compensate. As much as I prefer compiled languages, and as much as I prefer static typing, I have actually personally found this to be the case. So, for a larger project, I would really have a legitimately hard decision to make.
I'm sure I could go on, but this is more than long enough already, and I guess I sort of changed the subject anyway... Hope it's not too off-topic!
|
|
Michael Vanier - Re: Insecure Macho Love
4/8/2003; 3:19:20 PM (reads: 1475, responses: 0)
|
|
When I teach C to undergrads, I point out to them that one of the only reasons you would ever want to use C is if you needed bare-metal access to the machine. I'm trying to make fun of the macho attitude, but very few of the students I get actually have it. I suspect that most of the macho types wouldn't be caught dead taking a PL class; that would be tantamount to admitting that they didn't know everything already ;-)
I think that there is a need for languages that deal with bare-metal programming, whether we like it or not. C fills that need. I really like the idea of Cyclone (or Vault from the C++ side); to have low-level capabilities in a safe language would be *extremely* nice.
|
|
Isaac Gouy - Re: Insecure Macho Love
4/9/2003; 12:46:19 PM (reads: 1439, responses: 1)
|
|
most languages are significantly better than C (take Ada for example)
LtU departments provide evidence for Ada being "better" than C.
Ada is preferred for high integrity software systems (CENELEC recommendations):
SWSIL | 0 | 1 | 2 | 3 | 4 |
ADA | R | HR | HR | R | R |
Subset of ADA | R | HR | HR | HR | HR |
'C' or C++ (unrestricted) | R | - | - | NR | NR |
Subset of C or C++ with coding standards | R | R | R | R | R |
NR = not recommended,
- = no recommendation either way,
R = recommended,
HR = highly recommended
The only question-mark I've come across is this (I don't know how true it is):
"Many Safety Critical programs do lots of I/O to funny bits of hardware. I've seen some ghastly bits of Ada (especially SPARK) to get round the "good features" of the language (and the compiler) to be able to interact correctly with the hardware. Here the programs are worse (in the easy to read, etc. sense) than the equivalent in C or assembler where you wouldn't have the torture to get the hardware to do what you want." John McDermid in Safety-Critical moderated discussion
|
|
Ehud Lamm - Re: Insecure Macho Love
4/9/2003; 12:54:24 PM (reads: 1472, responses: 0)
|
|
This is nonsense.
Ada provides many features that are intended to ease accessing the hardware safely.
SPARK is not a "ghastly bit of Ada" but rather a language dervide from Ada that help information flow static analysis.
|
|
Isaac Gouy - Re: Insecure Macho Love
4/9/2003; 1:11:55 PM (reads: 1436, responses: 1)
|
|
This is nonsense
Well, maybe I've quoted out-of-context.
As-far-as I can tell, John McDermid does have experience with high integrity systems.
|
|
Ehud Lamm - Re: Insecure Macho Love
4/9/2003; 1:24:15 PM (reads: 1475, responses: 0)
|
|
I don't know about him. I do know about Ada...
Anyway, if you are itnerested in high integerity coding and Ada, you should take a look at these guidelines. Section 5.9 deals with low level programming.
By the way, I am no= great fan of SPARK, but that's beacuse it doesn't support high level features (e.g., inheritance, various kinds of generics, recursion etc.) not beacuse it restrict low level access. But anyway, like I said, SPARK isn't Ada.
|
|
Isaac Gouy - Re: Insecure Macho Love
4/9/2003; 5:15:16 PM (reads: 1417, responses: 1)
|
|
So there is a safe, proven, alternative to C - for "bare-metal" "low-level" programming - it's called Ada.
Are we just burdened by history? The name-recognition that comes from unices having been written in C. The sheer mass of C programmers. Popularity breeding popularity.
Ada is even free! GNAT is based on gcc.
Is it that MS Visual Studio doesn't include Ada, and Intel don't provide an Ada compiler?
|
|
Ehud Lamm - Re: Insecure Macho Love
4/10/2003; 12:06:04 AM (reads: 1450, responses: 0)
|
|
All these are part of the story, and indeed there are many more factors (the DOD's deadly embrace of Ada was once a problem; the language is bondage-and-discipline etc.)
But in the high integrity/mission critical/real time martkets Ada is a strong player (much more than in the application world).
It is useful to keep in mind that there are several language markets, not just one. In fact, I think both COBOL and Fortran are still dominant in some fields.
|
|
Isaac Gouy - Re: Insecure Macho Love
4/10/2003; 7:33:49 AM (reads: 1408, responses: 0)
|
|
bondage-and-discipline
Of course! We are talking about real programmers - "Too cool for secure code".
in the high integrity/mission critical/real time markets Ada is a strong player
high-integrity mission-critical real-time
These are the decades' CIO buzzwords
there are several language markets
Of course. The thing that's making me grouchy is the thought of all the folk being still being taught C...
|
|
Frank Atanassow - Re: Insecure Macho Love
4/11/2003; 8:12:25 AM (reads: 1416, responses: 0)
|
|
I don't know why you people say "bondage and discipline" like it's a bad thing... :)
|
|
Chris Rathman - Re: Insecure Macho Love
4/11/2003; 12:15:41 PM (reads: 1391, responses: 1)
|
|
There's a lot going on in programming languages, but most of it has to do with scripting & VMs. There aren't but a handful of Operating Systems that are both widespread in use and actively under development (not to mention almost none that are starting from scratch).
The programming languages designed for these sorts of bootstrap systems seem to have become either niche players (like Ada) or have fallen of the end of the world (Modula 3). Speaking of Modula 3, it'd be my language of choice for implementing an OS, if I were so inclined - providing many of the benefits of Ada while providing facilities for relaxing the constraints when you really need it.
|
|
Ehud Lamm - Re: Insecure Macho Love
4/11/2003; 1:08:20 PM (reads: 1417, responses: 0)
|
|
while providing facilities for relaxing the constraints when you really need it.
Can you give an example of something that is hard/impossible to do in Ada? Thanks.
|
|
Chris Rathman - Re: Insecure Macho Love
4/11/2003; 6:20:00 PM (reads: 1368, responses: 0)
|
|
I was thinking of the ability to isolate unsafe features but I didn't realize that Ada has a similar facility. When your twidling bits or dealing with hardware, interrupts, etc... sometimes it's nice to just skirt around the type system - not that this is really recommended in large doses. In comparison, everything in C is unsafe.
Guess I'd still like Modula-3's OO facilities better... but that would be at the other end of the spectrum. From what I can tell, Modula-3 seems to be the last research effort at a total system implemented in a new language from the ground up. Most of the people at DEC (like Cardelli) gave up on the systems approach and seemingly are concentrating on a little less ambitious problem domains.
|
|
Noel Welsh - Re: Insecure Macho Love
4/11/2003; 11:48:53 PM (reads: 1381, responses: 0)
|
|
There's a lot going on in programming languages, but most of it has to do with scripting & VMs. There aren't but a handful of Operating Systems that are both widespread in use and actively under development.
VM systems (like Java, .Net, Parrot & PLT Scheme) are the new operating systems. The amount of work necessary for a true bootable OS simply outweighs the benefit. If you want to innovate in the kind of abstractions offered by OSes (say security, threading and so forth) the shortest path is to build it on top of an existing abstraction layer (ie OS). There simply isn't much interesting to be said about device drivers any more ;-)
|
|
Isaac Gouy - Re: Insecure Macho Love
4/12/2003; 7:57:28 AM (reads: 1364, responses: 0)
|
|
Our responses to the article Patrick mentioned seem to have followed ideas present in the article:
there's no excuse for a mail client written in C or C++
Response: use a high-level language whenever possible - my favourite high-level language ;-)
Sure.
Although there seem to be obvious, less-contentious, less-fashionable alternatives.
...will inevitably be written in lower-level languages for legitimate performance reasons
Response: for some things you just have to use C
No. Apart from modifying existing C code... ;-)
I seem to remember that Modula-2 compilers produced faster code than C compilers because more optimisations could be applied with the less ambiguous B&D language? (Was that really true?)
Ada seems fine for bare-metal low-level embedded systems - so we don't need C for that.
Are there really any speed/space issues that prevent Ada being used in-place of C?
There simply isn't much interesting to be said about device drivers any more ;-)
Unfortunately, it seems there's still a great deal to be said:
Ironically, one class of software in which the safe language movement has not made many inroads is low-level “infrastructure” software that needs to be highly reliable, like operating systems, database management systems, and Internet servers. Enforcing High-Level Protocols in Low-Level Software
How much of the promise, in the latest attempts to clean-up C - Vault, Cyclone - is already present in Ada?
There's a lot going on... scripting & VMs
And HOT languages.
VM systems (like ...) are the new operating systems
- like (20 year old) Smalltalk... ;-)
|
|
|
|