DJB on writing "boring" programs in C:
> As a boring platform for the portable parts of boring crypto software, > I'd like to see a free C compiler that clearly defines, and permanently > commits to, carefully designed semantics for everything that's labeled > "undefined" or "unspecified" or "implementation-defined" in the C > "standard". This compiler will provide a comprehensible foundation for > people writing C code, for people auditing C code, and for people > formally verifying C code. > For comparison, gcc and clang both feel entitled to arbitrarily change > the behavior of "undefined" programs. Pretty much every real-world C > program is "undefined" according to the C "standard", and new compiler > "optimizations" often produce new security holes in the resulting object > code, as illustrated by > https://lwn.net/Articles/342330/ > https://kb.isc.org/article/AA-01167 > and many other examples. Crypto code isn't magically immune to this--- > one can easily see how today's crypto code audits will be compromised by > tomorrow's compiler optimizations, even if the code is slightly too > complicated for today's compilers to screw up. A boring C compiler will > eliminate these nasty surprises; it will prioritize predictability. https://groups.google.com/d/msg/boring-crypto/48qa1kWignU/o8GGp2K1DAAJ Will.
_______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
