Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

[Barry Shein <bzs () world std com>]

On April 16, 2014 at 15:34 jason.iannone () gmail com (Jason Iannone) wrote:
> I can't cite chapter and verse but I seem to remember this zeroing
> problem was solved decades ago by just introducing a bit which said
> this chunk of memory or disk is new (to this process) and not zeroed
> but if there's any attempt to actually access it then read it back as
> if it were filled with zeros, or alternatively zero it.

Those were my words.

I was talking about kernel memory/disk management.

And then Jason Iannone...
> Isn't that a result of the language?  Low level languages give that
> power to the author rather than assuming any responsibility.  Hacker
> News had a fairly in-depth discussion regarding the nature of C with
> some convincing opinions as to why it's not exactly the right tool to
> build this sort of system with.  The gist, forcing the author of a
> monster like OpenSSL to manage memory is a problem.

This is a potentially huge discussion with many dimensions.

A library like openssl is intended to fit into a huge software
ecosystem much of which is already written in C.

Writing it in another language (other than perhaps C++) would require
a cross-language API or similar (e.g., IPC) which introduces other
issues.

So, oftentimes you use a three-prong plug because you are faced with
three-prong receptacles and rebuilding the entire building to a new
standard just isn't practical even if you believe the result presents
a potential shock hazard.

And, if I may editorialize, there's a reason most of that ecosystem is
built in C, it's not only legacy. Other languages have their own
shortcomings, you can't just consider one aspect.

-- 
        -Barry Shein

The World              | bzs () TheWorld com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*