Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 12 Oct 2014 14:21:14 +0100
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Thoughts on Shellshock and beyond


On 12 Oct 2014, at 12:24, Florian Weimer <fw@...eb.enyo.de> wrote:

> I don't think Haskell is a magic bullet.  I do think type-rich
> languages (and languages with memory safety) have a lot to offer, but
> writing secure software in them is still hard.

I’d definitely agree with that.

Recently I was dealing with a problem where a developer had gone to a lot of trouble to design and implement an insecure authentication mechanism.   He thought he was doing the right thing but he just couldn’t see the flaws in what he’d done.  

The problem wasn’t the choice of programming language (python, as it happens) it was simply that getting the design and implementation right hard even though it looks easy.   Haskell (or Ada or CLU) would not have helped; a mathematically rigorous approach to the problem would have helped a lot, but it would not have made it easy.  To paraphrase Gödel somewhat: any non-trivial system has is not provably secure.

jch

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.