Re: Expanding the list of "Hardened Packages"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/15/2013 08:17 PM, Miloslav Trmač wrote:
Sure, moving away from C/C++ does not make programs completely secure;
however, on average, C/C++ programs are noticeably less secure (because
most vulnerabilities that can happen in higher-level languages can also
happen in C, but not the other way around).

To illustrate this point, here's a fairly concrete example: If you have got a program that is written in a memory-safe language which also provides some form of encapsulation, it is possible to demonstrate convincingly (*) that a software module which provides an encryption/decryption service never leaks the key material. If there is no memory safety, other code in the program could peek at the key bits, and encapsulation is no longer guaranteed. What should be a local property of the module now turns into a global property of the program, making review more difficult.

(*) As soon as cryptography is involved, mathematically rigorous results are the exception.

--
Florian Weimer / Red Hat Product Security Team
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux