BSIMM: Confessions of a Software SecurityAlchemist(informIT)

[ljknews at mac.com (ljknews)]

At 11:42 AM -0400 3/25/09, Gary McGraw wrote:

> The code/data mix is certainly a problem.  Also a problem
> is the way stacks grow on many particular machines, especially
> with common C/C++ compilers.  You noted a Burroughs where
> things were done better.  There are many others.  C is
> usually just a sloppy mess by default.
>
> Language choice can sometimes make up for bad machine
> architecture, but ultimately at some level of computational
> abstraction they come to be the same thing.  You may recall
> that I am a scheme guy.  TI made a scheme machine that never
> caught on some years back (around the same time as the LISP
> machine...like emacs only even more bindings at least on the
> Symbolics <http://en.wikipedia.org/wiki/Lisp_machine>).
> Those machines had a fundamentally different architecture
> at the processor level.

Even with Ada (my favorite) it is _possible_ to violate type
safety.  But it requires using a construct for which managers
can trivially scan the source code.  And there are few cases
where it is _impossible_ to program in a type-safe manner.

C++ has an escape from type safety a bit harder to scan for -
dropping into C.

To determine the difference in the effective type safety of
two languages, consider the likelihood that the _average_
programmer is going to violate type safety.  You cannot
manage to hire programmers exclusively from Lake Wobegon*.

Worry about enforcement by the hardware architecture after
you have squeezed out all errors that can be addressed by
software techniques.
-- 
Larry Kilgallen
* For non-US readers, Lake Wobegon is an imaginary
  community where all the school children are above
  average.