[17095] in cryptography@c2.net mail archive
Re: Security is the bits you disable before you ship
daemon@ATHENA.MIT.EDU (Russell Nelson)
Sun Mar 20 12:08:46 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Russell Nelson <nelson@crynwr.com>
Date: Wed, 16 Mar 2005 11:05:57 -0500
To: cryptography@metzdowd.com
In-Reply-To: <20050315155956.E10B93BFEFC@berkshire.machshav.com>
Steven M. Bellovin writes:
> That's not new, either. I believe it was Tony Hoare who likened this
> to sailors doing shore drills with life preservers, but leaving them
> home when they went to sea. I think he said that in the 1970s; he said
> this in his Turing Award lecture:
>
> The first principle was security... A consequence of this
> principle is that every occurrence of every subscript of
> every subscripted variable was on every occasion checked
> at run time... I note with fear and horror that even in
> 1980, language designers and users have not learned this
> lesson.
This is true, however, I've seen Dan Bernstein (and you don't get much
more careful or paranoid about security than Dan) write code like
this:
static char line[999];
len = 0;
len += fmt_ulong(line + len,rp);
len += fmt_str(line + len," , ");
len += fmt_ulong(line + len,lp);
len += fmt_str(line + len,"\r\n");
Of course, the number of characters that fmt_ulong will insert is
limited by the number of bits in an unsigned long, and both strings
are of constant length.
--
--My blog is at blog.russnelson.com | The laws of physics cannot
Crynwr sells support for free software | PGPok | be legislated. Neither can
521 Pleasant Valley Rd. | +1 315-323-1241 cell | the laws of countries.
Potsdam, NY 13676-3213 | +1 212-202-2318 VOIP |
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
