On Mon, Nov 24 2014, Ronald L. Rivest <[email protected]> wrote: > Google for "uninitialized security" to find numerous instances > of security violations and unreliability problems caused by the > use of uninitialized variables, and numerous security advisories > warning of problems caused by the (perhaps inadvertent) use > of uninitialized variables.
AFAIK Julia was not intended for applications that need to be secure. Consequently, it may not be the best language for implementing the next kernel, SSH server, etc. Besides the issue that you brought up, it may have other vulnerabilities, for example, I suspect that if you implement crypto naively in Julia it may be vulnerable to timing attacks because of the dynamic nature of the language. Given that initialization has a cost (however minor), I think is reasonable not to initialize when in 99% of the cases the array will be filled anyway with values that are actually computed using other data. > You can't reasonably ask all programmers to properly initialize > their allocated storage manually any more than you can ask them > to test all indices before accessing an array manually; these are > things that a high-level language should do for you. Sorry, I may be missing something, but if you are not filling an array with values, why did you create it in the first place? If you just need a bunch of zeroes, you should probably use sparse data structures. > There is no efficiency argument here in favor of uninitialized storage > that can outweigh the security and reliability disadvantages... All these considerations are subjective and application-dependent, I doubt that there is general rule. Some high-level languages use uninitialized arrays, Common Lisp is an example. Best, Tamas
