27 Apr
2016
27 Apr
'16
11:50 a.m.
From: Liam Proven
There's the not-remotely-safe kinda-sorta C in a
web browser,
Javascript.
Love the rant, which I mostly agree with (_especially_ that one). A couple of
comments:
So they still have C like holes and there are frequent
patches and
updates to try to make them able to retain some water for a short time,
while the "cyber criminals" make hundreds of millions.
It's not clear to me that a 'better language' is going to get rid of that,
because there will always be bugs (and the bigger the application, and the
more it gets changed, the more there will be). The vibe I get from my
knowledge of security is that it takes a secure OS, running on hardware that
enforces security, to really fix the problem. (Google "Roger Schell".)
The Lisp Machines and Smalltalk boxes lost the
workstation war. Unix
won, and as history is written by the victors
Custom hardware for running LISP lost (not sure about Smalltalk, don't know
much about it), I am quite sure, mostly because 'mainstream' CPUs got so much
faster/cheaper, because of the volume. I saw this happening in the AI Lab at
MIT: when you could run LISP on a workstation with a vanilla CPU much faster
than a specialized LISP processor, that's all she wrote. (That effect killed
all sorts of things, not just LISP machines, of course.)
Noel
27 Apr
27 Apr
12:15 p.m.
On Apr 27, 2016, at 2:50 PM, Noel Chiappa <jnc at
mercury.lcs.mit.edu> wrote:
...
It's not clear to me that a 'better language' is going to get rid of that,
because there will always be bugs (and the bigger the application, and the
more it gets changed, the more there will be). The vibe I get from my
knowledge of security is that it takes a secure OS, running on hardware that
enforces security, to really fix the problem. (Google "Roger Schell".)
Those things can be useful at times, but they are neither necessary nor sufficient.
For example, while Unix is reasonably secure, application writers have managed to create
massive numbers of security holes that have nothing to do with defects of the OS, and
aren't cured by a better OS. A better language might help (C is the mother of most
security bugs). But the most critical component that is generally missing is a design
attitude that both the design and the implementation need to be CORRECT.
Such design attitudes are very rare. Dijkstra made it his life's mission to promote
this. He demonstrated it in such places as the THE operating system design (read the
paper). Note, by the way, that's a secure system running on hardware that provides no
protection.
By contrast, the common technique of "type in some code, then edit and recompile and
rerun until it seems to work" cannot deliver reliable programs.
paul
1:24 p.m.
It was thus said that the Great Noel Chiappa once stated:
"Every program has at least one bug and can be shortened by at least
one instruction---from which, by induction, one can deduce that
every program can be reduced to one instruction which doesn't work."
Proof: https://en.wikipedia.org/wiki/IEFBR14
From: Liam
Proven
There's the not-remotely-safe kinda-sorta C
in a web browser,
Javascript.
Love the rant, which I mostly agree with (_especially_ that one). A couple of
comments:
So they still have C like holes and there are
frequent patches and
updates to try to make them able to retain some water for a short time,
while the "cyber criminals" make hundreds of millions.
It's not clear to me that a 'better language' is going to get rid of that,
because there will always be bugs (and the bigger the application, and the
more it gets changed, the more there will be). The vibe I get from my
knowledge of security is that it takes a secure OS, running on hardware that
enforces security, to really fix the problem. (Google "Roger Schell".)
We're getting there---on current Macs, not even root can delete all files
anymore. You can still run unsigned programs, but you have to change a
setting for that.
For now.
-spc (Be careful what you wish for)
3:14 p.m.
New subject: Abstraction levels and tool evolution, versus bugs - Re: strangest systems I've sent email from
On 2016-04-27 2:50 PM, Noel Chiappa wrote:
Modern languages can indeed wipe out large classes of bugs (including
many of those that lead to vulnerabilities). But *every* advance in
abstraction does.
I like Professor Benjamin Pierce's way of putting it: "Mechanical checks
of simple properties enormously improve software quality."
This has been called for, with little traction, for a very long time;
one of my favourite calls is by Professor Per Brinch Hansen, recipient
of IEEE Computer Pioneer Medal, in 1972:
"I expect to see many protection rules in future operating
systems...enforced by...type checking at compile time."
-- he assuredly did not have C in mind.
From: Liam
Proven
There's the not-remotely-safe kinda-sorta C
in a web browser,
Javascript.
Love the rant, which I mostly agree with (_especially_ that one). A couple of
comments:
So they still have C like holes and there are
frequent patches and
updates to try to make them able to retain some water for a short time,
while the "cyber criminals" make hundreds of millions.
It's not clear to me that a 'better language' is going to get rid of that,
because there will always be bugs ...
The virulence, level, and number, change. Just think of the change in
the nature and frequency of mechanically missed bugs going between:
assembler to C; C to Java; Java to Haskell; etc.
I'd rather be dealing with only the bugs that get through that sieve,
than deal with malloc/free bullshit or buffer overflows in C.
Ultimately the goal is to deal with the highest value problems, such as
incorrect specifications or assumptions, rather than accidentally
getting a stack offset wrong in one obscure instruction.
Productivity, security, reliability, correctness all demand that we wipe
out as many tiers of bug as we can, with better/more high level tools...
imho of course...
--Toby
Noel
3:50 p.m.
New subject: Abstraction levels and tool evolution, versus bugs - Re: strangest systems I've sent email from
On Wed, 27 Apr 2016, Toby Thain wrote:
Modern languages can indeed wipe out large classes of
bugs (including
many of those that lead to vulnerabilities). But *every* advance in
abstraction does.
While I follow your thesis here, I would also point out that the reason
that a lot of C programmers roll their eyes when folks start talking about
abstraction is that generally increases code size and overhead. Those two
mandates (get out of my way, but don't let me make mistakes) are tough to
achieve at the same time. People want the features they find in scripting
languages (no memory management, no hassling with pointers) but they don't
want to pay for them. It's a matter of debate among experts as to how much
fat abstraction adds, or the value of the abstraction itself but it's the
primary reason why many C coders are dubious of too much abstraction. C,
in my opinion balances the two in one of the least-ugly ways (not that
it's all that glamorous, it just works). Those on the "maximum
abstraction" bus have already arrived at their stop in C++ land or have
moved on to RubyTown etc... (not slamming them, just saying - I do C++
too).
I stick with C because I don't want (much) more abstraction than it offers
for the applications I write or maintain.
I like Professor Benjamin Pierce's way of putting
it: "Mechanical checks
of simple properties enormously improve software quality."
Well, I definitely agree with this in general. The question again is how
much are you willing to spend to get them done? There is always the guy
who will say "Oh gawd we have 6Ghz machines with 4TB of RAM now. Who
cares." That will always be followed by the person who says "Wait, I still
do embedded code on a Z80 with 4k of RAM!" One thing that I'd point out
about C is that once you learn it, you can do both (some would say poorly,
but not me).
The virulence, level, and number, change. Just think
of the change in
the nature and frequency of mechanically missed bugs going between:
assembler to C; C to Java; Java to Haskell; etc.
True.
However, when I look at http://benchmarksgame.alioth.debian.org/ and other
such comparisons, and compare those languages doing real work I can see
what the cost is to do so. Maybe some would assert that all this safety
can come for free. My response to that would be "Excellent. Please write
us all a new compiler, then." For the record, I do know about things like
gcc-ssp, propolice, stackguard, etc.. I've used most of those where
needed.
I'd rather be dealing with only the bugs that get
through that sieve,
than deal with malloc/free bullshit or buffer overflows in C.
I write quite a bit of C. I don't claim for a second to be "good"
('cause
I've met people who are *really* good). In my experience there are several
things that you can bring to bear which will result in you hardly every
chasing pointers or malloc() issues. Here's what I do to help myself (BTW,
I'm sure you are all better coders. I'm just sharing my experience):
1. Early on I wrote myself a reference counter. There are all kinds of
easy ways to do this. Then you can catch yourself when you use a null
reference or let a loop run off the edge of a cliff. Once you feel
comfy, remove the #include'd wrappers. I've done the same thing using
LD_PRELOAD mechanisms to preempt things like malloc().
2. When in doubt I've used tools like ElectricFence and Valgrind to also
aid greatly in finding problems that might lead to buffer overflows or
string format exploits. I also use tools like "rats" to hunt down bugs.
3. I started getting burned enough that I simply figured out what kind of
design patterns I was using that got me into trouble. Once I applied
myself to stopping that behavior, the issues I was having with memory
shell games basically went away.
4. Kind of along with the philosophy you are talking about (perhaps) I do
check the livin' snot out of everything I get back from
non-deterministic operations. Some of these are just using my knowledge
of the code's actual logic path to do the checks at the *exact* spot
they are needed without some compiler trying to out-guess me or check
absolutely everything.
YMMV, but that's how I live with my dirty C programming self. :-)
Productivity, security, reliability, correctness all
demand that we wipe
out as many tiers of bug as we can, with better/more high level tools...
imho of course...
That's what I hear from folks who love Haskell and Erlang. As I'm sure you
know, those languages have some really interesting properties similar to
the kind of philosophy.
You guys are going to be the type of people who move the whole industry
forward as you push innovative (or maybe old & innovative) ideas. Guys
like me just try to get the code done as fast as possible before our jobs
get offshored to India. :-/
-Swift
28 Apr
28 Apr
3:52 p.m.
New subject: Abstraction levels and tool evolution, versus bugs - Re: strangest systems I've sent email from
On 4/27/2016 4:50 PM, Swift Griggs wrote:
On Wed, 27 Apr 2016, Toby Thain wrote:
I stick with C because I don't want (much) more
abstraction than it offers
for the applications I write or maintain.
How ever hardware design is still knowledge needed, with all the strange
Caches and logic flow in the new cpu's to have decent optimization in
the source language.
Ben.
27 Apr
27 Apr
5:14 p.m.
New subject: Abstraction levels and tool evolution, versus bugs - Re: strangest systems I've sent email from
On Apr 27, 2016, at 6:14 PM, Toby Thain <toby at
telegraphics.com.au> wrote:
Modern languages can indeed wipe out large classes of bugs (including many of those that
lead to vulnerabilities). But *every* advance in abstraction does.
I like Professor Benjamin Pierce's way of putting it: "Mechanical checks of
simple properties enormously improve software quality."
This has been called for, with little traction, for a very long time; one of my favourite
calls is by Professor Per Brinch Hansen, recipient of IEEE Computer Pioneer Medal, in
1972:
"I expect to see many protection rules in future operating systems...enforced
by...type checking at compile time."
-- he assuredly did not have C in mind.
Probably not Ada either, but among languages that are in current use that one is probably
the best by this measure.
BTW, it's not so much "modern" as "well designed". How to design
languages that facilitate correct programs was well understood by around 1970. There have
been some additions since then, but a lot of the right answers can be found in ALGOL (and
a lot of wrong answers can be found in the work of those who ignored ALGOL).
paul
28 Apr
28 Apr
6:40 a.m.
On 27 April 2016 at 20:50, Noel Chiappa <jnc at mercury.lcs.mit.edu> wrote:
Thank you!
The JS line is the one that's attracting particularly harsh criticism
on FB, incidentally.
Yes, so I've heard.
But the thing, the big thing, is that computers aren't organisms.
We can study dinosaurs and work out what they were good and bad at,
but Jurassic Park will never happen. Absent time machines, we cannot
bring them back.
But we could build new computers using the lessons of the past.
But nobody much is doing it.
--
Liam Proven ? Profile: http://lproven.livejournal.com/profile
Email: lproven at cix.co.uk ? GMail/G+/Twitter/Flickr/Facebook: lproven
MSN: lproven at hotmail.com ? Skype/AIM/Yahoo/LinkedIn: liamproven
Cell/Mobiles: +44 7939-087884 (UK) ? +420 702 829 053 (?R)
From: Liam
Proven
There's the not-remotely-safe kinda-sorta C
in a web browser,
Javascript.
Love the rant, which I mostly agree with (_especially_ that one). A couple of
comments:
I have and will read up on this before I comment.
So they still have C like holes and there are
frequent patches and
updates to try to make them able to retain some water for a short time,
while the "cyber criminals" make hundreds of millions.
It's not clear to me that a 'better language' is going to get rid of that,
because there will always be bugs (and the bigger the application, and the
more it gets changed, the more there will be). The vibe I get from my
knowledge of security is that it takes a secure OS, running on hardware that
enforces security, to really fix the problem. (Google "Roger Schell".) The Lisp
Machines and Smalltalk boxes lost the workstation war. Unix
won, and as history is written by the victors
Custom hardware for running LISP lost (not sure about Smalltalk, don't know
much about it), I am quite sure, mostly because 'mainstream' CPUs got so much
faster/cheaper, because of the volume. I saw this happening in the AI Lab at
MIT: when you could run LISP on a workstation with a vanilla CPU much faster
than a specialized LISP processor, that's all she wrote. (That effect killed
all sorts of things, not just LISP machines, of course.)
2942
days inactive
2943
days old
7 comments
7 participants
participants (7)
-
bfranchuk@jetnet.ab.ca -
jnc@mercury.lcs.mit.edu -
lproven@gmail.com -
paulkoning@comcast.net -
spc@conman.org -
swiftgriggs@gmail.com -
toby@telegraphics.com.au