oss-sec mailing list archives
Re: Thoughts on Shellshock and beyond
From: John Haxby <john.haxby () oracle com>
Date: Sun, 12 Oct 2014 14:21:14 +0100
On 12 Oct 2014, at 12:24, Florian Weimer <fw () deneb enyo de> wrote:
I don't think Haskell is a magic bullet. I do think type-rich languages (and languages with memory safety) have a lot to offer, but writing secure software in them is still hard.
I’d definitely agree with that. Recently I was dealing with a problem where a developer had gone to a lot of trouble to design and implement an insecure authentication mechanism. He thought he was doing the right thing but he just couldn’t see the flaws in what he’d done. The problem wasn’t the choice of programming language (python, as it happens) it was simply that getting the design and implementation right hard even though it looks easy. Haskell (or Ada or CLU) would not have helped; a mathematically rigorous approach to the problem would have helped a lot, but it would not have made it easy. To paraphrase Gödel somewhat: any non-trivial system has is not provably secure. jch
Current thread:
- Re: Thoughts on Shellshock and beyond, (continued)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 08)
- Re: Thoughts on Shellshock and beyond Tracy Reed (Oct 08)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 08)
- Re: Thoughts on Shellshock and beyond Tracy Reed (Oct 09)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 09)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 09)
- Message not available
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 10)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 11)
- Message not available
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 12)
- Re: Thoughts on Shellshock and beyond John Haxby (Oct 12)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 14)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 09)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- liability (was: Re: Thoughts on Shellshock and beyond) Solar Designer (Oct 09)
- Re: liability dmc (Oct 09)
- Re: liability (was: Re: Thoughts on Shellshock and beyond) Źmicier Januszkiewicz (Oct 10)
- Re: Thoughts on Shellshock and beyond Tim (Oct 09)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 09)
- Message not available
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)