Victor Duchovni wrote:
On Thu, Sep 15, 2005 at 08:51:02PM -0700, Bill Frantz wrote:
On 9/13/05, [EMAIL PROTECTED] (Perry E. Metzger) wrote:
Generally speaking, I think software with a security impact should not
be written in C.
I agree. I also note that Paul A. Karger and Roger R. Schell, in their
paper, "Thirty Years Later: Lessons from the Multics Security
Evaluation" state:
While some of the fault is perhaps in the core language, my contention is
that the real problem is the anemic standard C-library. When working on C
projects that have (and uniformly use) their own mature string handling
libraries (I was a contributor to Tcl in the 90's and am now working
in Postfix) I found that buffer overflows (and with Tcl for reasons I
won't go into here also memory leaks) were a non-issue in those systems.
With either Tcl_DString or VSTRING (Postfix), one simply loses the
habit of needing to keep track of buffer lengths. When combined with a
compatible I/O interface (say VSTREAM), argument vector library (ARGV)
hash table library, ... one no longer in practice manipulates bare
null-terminated string buffers except when passing (usually read-only)
content to system calls via the C-library.
I continue to write code in C, free of buffer overflows and memory leaks,
not because I am more manly than the next programmer, but because I am
attracted to working on well-designed systems, whose designers took the
time to develop a richer set of idioms in which to construct their work.
My view is that C is fine, but it needs a real library and programmers
who learn C need to learn to use the real library, with the bare-metal
C-library used only by library developers to bootstrap new safe
primitives.
So wouldn't the world be a better place if we could all agree on a
single such library? Or at least, a single API. Like the STL is for C++.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
