Programming language, Secure Programming Languages?

Secure Programming Languages?

Author	Message
grymo.. #1 / 11	Secure Programming Languages? I'm a research scientist, and I'd like to get more information about secure programming languages. Besides Java, what other languages are there? Will the Java language be extended to provide finer-gained control over security? If so, how? Is there any documentation? I'd appreciate any pointers. Thanks. Sent via Deja.com http://www.--*.com/ Share what you know. Learn what you don't.
Sun, 27 Jan 2002 03:00:00 GMT

Kent Perrie #2 / 11	Secure Programming Languages? Quote: > I'm a research scientist, and I'd like to get more information > about secure programming languages. All programming languages are secure, in and of themselves. It all depends on how the program is written and where it is ran that makes is secure or not. Kent
Sun, 27 Jan 2002 03:00:00 GMT

Jesse Sing #3 / 11	Secure Programming Languages? Quote: > > I'm a research scientist, and I'd like to get more information > > about secure programming languages. >For a nice article try Secure UNIX Programming FAQ you can get it at http://www.whitefang.com/sup/ Good article describing what you can do to program in a secure format.
Sun, 27 Jan 2002 03:00:00 GMT

Gregory Edigaro #4 / 11	Secure Programming Languages? : I'm a research scientist, and I'd like to get more information : about secure programming languages. : Besides Java, what other languages are there? : Will the Java language be extended to provide finer-gained : control over security? If so, how? Is there any documentation? I think ALL the computer languages are secure. Insecureness usually comes from developers. -- With best regards, Gregory Edigarov
Mon, 28 Jan 2002 03:00:00 GMT

Tom Moo #5 / 11	Secure Programming Languages? There is an IBM researach language "Hermes" by Robert E. Strom (ISBN 0-13-389537-8) which might qualify.
Tue, 29 Jan 2002 03:00:00 GMT

Jeremy H. Bro #6 / 11	Secure Programming Languages? Check out JFlow; there's a paper at: http://www.pmg.lcs.mit.edu/papers/popl99/myers-popl99.ps.gz and the research project that produced it is at: http://www.lcs.mit.edu/research/projects/project?name=9935 I'm not sure if JFlow has been released, or merely written about, but perhaps it's what's being looked for. Here's a paragraph from the target of the second URL above: ------------------------------------ The new language _JFlow_ (an extension to Java) allows programs to be statically checked for information leaks by an extended Java compiler. In JFlow, variables and objects are annotated with statically-checked dissemination labels. These labels often can be automatically inferred, so annotating programs is not onerous. An explicit form of declassification provides a safe escape hatch when the amount of information leaked is acceptable to the programmer. Safe dynamic checks also may be used when static checks are insufficient. There is little code space, data space, or run time overhead, because most checking is performed statically. ------------------------------------ Jeremy
Tue, 29 Jan 2002 03:00:00 GMT

Andrew Cook #7 / 11	Secure Programming Languages? Coming into this thread late from comp.lang.misc.... I don't know quite what you mean by secure, but wth Java you have no control over memory allocation, so it's not clear that memory allocated to Strings with important info (passwords) are over-written before being freed. I'd appreciate work-arounds for this (the only soln I can see is C code implementing some kind of secure string class). I suspect only Ada has built-in support for clearing freed memory. Andrew Quote: > Check out JFlow; there's a paper at: > http://www.pmg.lcs.mit.edu/papers/popl99/myers-popl99.ps.gz > and the research project that produced it is at: > http://www.lcs.mit.edu/research/projects/project?name=9935 > I'm not sure if JFlow has been released, or merely written about, but > perhaps it's what's being looked for. > Here's a paragraph from the target of the second URL above: > ------------------------------------ > The new language _JFlow_ (an extension to Java) allows programs to be > statically checked for information leaks by an extended Java > compiler. In JFlow, variables and objects are annotated with > statically-checked dissemination labels. These labels often can be > automatically inferred, so annotating programs is not onerous. An > explicit form of declassification provides a safe escape hatch when > the amount of information leaked is acceptable to the programmer. > Safe dynamic checks also may be used when static checks are > insufficient. There is little code space, data space, or run time > overhead, because most checking is performed statically. > ------------------------------------ > Jeremy Sent via Deja.com http://www.deja.com/ Share what you know. Learn what you don't.
Fri, 08 Feb 2002 03:00:00 GMT

Phil Edward #8 / 11	Secure Programming Languages? Quote: > Coming into this thread late from comp.lang.misc.... And even later from comp.security.unix.... :-) Quote: > I don't know quite what you mean by secure, but wth Java you have no > control over memory allocation, so it's not clear that memory allocated > to Strings with important info (passwords) are over-written before being > freed. I'd appreciate work-arounds for this (the only soln I can see is > C code implementing some kind of secure string class). I suspect only > Ada has built-in support for clearing freed memory. More or less, yeah. I've seen a malloc library where the implementation of free() did a memset(the_memory, 0, size_of_memory) before putting the_memory back onto the free list. Adding -lwhateveritwas to the link line transparently added support for clearing memory to the C code. I tend to agree with Dr. Stroustrup's comment, "I assume that any competent programmer can get around any rule not explicitly enforced by hardware," so as far as preventing code from Doing {filter} Things To Memory, IMHO the programming language is the wrong place to look. Clearing sensistive information from deallocated memory, of course, is another matter. -- Targeting & Attack Radar UFOs are real. Air Force Research Labs The Air Force Senior Systems Administrator doesn't exist. Sent via Deja.com http://www.--*.com/ Share what you know. Learn what you don't.
Fri, 08 Feb 2002 03:00:00 GMT

Bernd Eckenfel #9 / 11	Secure Programming Languages? Quote: > I don't know quite what you mean by secure, but wth Java you have no > control over memory allocation, so it's not clear that memory allocated > to Strings with important info (passwords) are over-written before being > freed. I'd appreciate work-arounds for this (the only soln I can see is > C code implementing some kind of secure string class). I suspect only > Ada has built-in support for clearing freed memory. This depends on what you consider secure. From the Java Sendbox Standbpoint this is a non-issue, since you can never access this non-cleared area. Dont forget, there are no pointers in java. A problem is of course clearing an object you dont know how many objects have a reference too. But this can a) be ignored since if you dont trust the reference holder you can trust them not to make copies and b) you can use StringBuffers instead. What is realy needed is "tainting" Greetings Bernd
Sat, 09 Feb 2002 03:00:00 GMT

Andrew Cook #10 / 11	Secure Programming Languages? The problem I had in mind was one where an application is started with a password that is used (say to initialise a special piece of hardware). A malicious intruder might gain access to the computer and could possibly recover the password (eg from paged memory on the disk). With control over memory I would be able to wipe the memory where the password was stored once it had been used... I admit, it's obscure, but its connected with a real-life problem (but I would be happy to be corrected!). Andrew Quote: > In comp.security.unix Andrew Cooke > > I don't know quite what you mean by secure, but wth Java you have no > > control over memory allocation, so it's not clear that memory allocated > > to Strings with important info (passwords) are over-written before being > > freed. I'd appreciate work-arounds for this (the only soln I can see is > > C code implementing some kind of secure string class). I suspect only > > Ada has built-in support for clearing freed memory. > This depends on what you consider secure. From the Java Sendbox Standbpoint > this is a non-issue, since you can never access this non-cleared area. Dont > forget, there are no pointers in java. > A problem is of course clearing an object you dont know how many objects > have a reference too. But this can a) be ignored since if you dont trust the > reference holder you can trust them not to make copies and b) you can use > StringBuffers instead. > What is realy needed is "tainting" > Greetings > Bernd Sent via Deja.com http://www.deja.com/ Share what you know. Learn what you don't.
Tue, 12 Feb 2002 03:00:00 GMT

Page 1 of 1

[ 11 post ]