Re: [SystemSafety] OpenSSL Bug from David Crocker on 2014-04-10 (System Safety Mailing List Archive)

From: David Crocker < >
Date: Thu, 10 Apr 2014 21:33:40 +0100

The lack of strong typing in C (in particular, the lack of size information when passing pointers to arrays between functions) is only part of the issue. The other issue is whether or not array accesses are bounds-checked. Much application software these days is written in Java or C#, both of which perform array bounds checks at runtime. When writing in C++, it is entirely possible to implement array bounds checks, although sadly none of the standard container libraries in the STL do this except sometimes in debug builds. Unfortunately, much systems software continues to be written in C, a language which all but encourages the programmer to leave out bounds checks and doesn't provide a reasonable alternative to passing array pointers between functions.

I would like to see:

A move from C to C++ or other programming languages for security-critical systems software (i.e. most of it);
Container lasses in the C++ standard library that include run-time bounds checking;
Mandatory use of such classes and the banning of naked array pointers (except in the implementation of such classes), OR formal verification of the code to ensure that no array bounds violations take place.

David Crocker, Escher Technologies Ltd.
http://www.eschertech.com
Tel. +44 (0)20 8144 3265 or +44 (0)7977 211486

On 10/04/2014 20:06, Derek M Jones wrote:
> Peter,
>
>> There are people here who have defended the use of the programming
>> language C. Shame on you. Yes,
>
> Why pick on C? All language have their problems.
>
> Facebook have been doing good stuff to improve the reliability of PHP:
> http://shape-of-code.coding-guidelines.com/2014/03/24/hack-a-template-for-improving-code-reliability/
>
>
>> there are tools; there are reliable tools to check whether C programs
>> adhere to strong-typing
>
> There is no discontinuity that distinguishes weak/strong typing, it is
> a continuum. Good luck reaching general agreement on where to draw
> the line.
>
> I have worked in languages that have stronger typing than C and
> seen plenty of code in those languages where developers have failed
> to use the strong typing facilities available to them. Giving
> developers the tools does not mean they will use them (I am a fan
> of stronger typing than is available in C).
>
> Incidentally there is almost no empirical evidence for the benefits
> of using a language having stronger typing. There are a few studies
> using students on really small problems. Pointers to good studies
> welcome.
>
>> principles. Etc. AND THEY WERE NOT USED BY PEOPLE WHOM I HAVE UP TO
>> NOW TRUSTED. In other words, you
>> were lying to us about "good practice" amongst "SW developers" using C.
>
> and you are surprised by this (again why pick on just C)?
>

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Thu Apr 10 2014 - 22:33:55 CEST

This archive was generated by hypermail 2.3.0 : Tue Feb 19 2019 - 13:17:06 CET