[171049] in North American Network Operators' Group
Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
daemon@ATHENA.MIT.EDU (Barry Shein)
Wed Apr 16 23:02:30 2014
From: Barry Shein <bzs@world.std.com>
Date: Wed, 16 Apr 2014 23:01:33 -0400
To: Jason Iannone <jason.iannone@gmail.com>
In-Reply-To: <CAGL1wDRb8cmfDwouRkL9Fj0j1axqusqjFhbiyx_1-u4dyn_+Xg@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On April 16, 2014 at 15:34 jason.iannone@gmail.com (Jason Iannone) wrote:
> I can't cite chapter and verse but I seem to remember this zeroing
> problem was solved decades ago by just introducing a bit which said
> this chunk of memory or disk is new (to this process) and not zeroed
> but if there's any attempt to actually access it then read it back as
> if it were filled with zeros, or alternatively zero it.
Those were my words.
I was talking about kernel memory/disk management.
And then Jason Iannone...
> Isn't that a result of the language? Low level languages give that
> power to the author rather than assuming any responsibility. Hacker
> News had a fairly in-depth discussion regarding the nature of C with
> some convincing opinions as to why it's not exactly the right tool to
> build this sort of system with. The gist, forcing the author of a
> monster like OpenSSL to manage memory is a problem.
This is a potentially huge discussion with many dimensions.
A library like openssl is intended to fit into a huge software
ecosystem much of which is already written in C.
Writing it in another language (other than perhaps C++) would require
a cross-language API or similar (e.g., IPC) which introduces other
issues.
So, oftentimes you use a three-prong plug because you are faced with
three-prong receptacles and rebuilding the entire building to a new
standard just isn't practical even if you believe the result presents
a potential shock hazard.
And, if I may editorialize, there's a reason most of that ecosystem is
built in C, it's not only legacy. Other languages have their own
shortcomings, you can't just consider one aspect.
--
-Barry Shein
The World | bzs@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
