Re^4: Attack on Perl or Perl's need better PR (again)

Security is not a language issue for the same reason that it is not a checkbox that you can put on a feature list.

Security is a process. Many things that help security can become language features. You've mentioned memory management. You go on to mention some of the benefits of capability designs. But even if you have all of those, you don't necessarily have any security.

In this case the fundamental problem was addressed in part 5 of Dan Berstein's description of what he did to make qmail secure. Don't parse!

The Perl bug that the webmin discussion uncovered was due to how Perl parses printf strings. SQL injection attacks are due to Perl programmers unsafely constructing SQL for a database to parse. In short any interface where one side sends formatted text for the other side to parse and do something with is a complex interface that is very vulnerable to bugs if the one side allows slightly wrong data across that interface. And bugs properly exploited lead to security holes.

Capability systems do not change this fundamental fact. What they are better at is making it more difficult to escalate bugs into serious security violations. That is not completely true. It is possible to take a capability system and build an insecure piece of software. If you want, you have the tools to do it right. But having good tools does not guarantee success. As an example I'll point out that one can build a POSIX subsystem out of a capability-based system, use that to port standard Unix software, and then despite your capability based roots you're back to the normal Unix situation. Admittedly only for the data that is in the POSIX subsystem, but if that is the data that you care about, that is a cold comfort.

So one message that you could walk away from this with is that any language that really cares about security should avoid parsing. However if you're going to interact with existing systems, you're quickly going to find yourself having to interact with existing interfaces that are text-based. For instance databases, email, HTTP, and flatfiles. So the natural APIs to build will involve parsing. And that isn't a question of the language that you're using - it is about the legacy systems that you're interacting with.

Now you can build wrappers around those APIs to avoid parsing. People do - for instance they use Class::DBI instead of writing SQL. (A major issue with this kind of thing is that you can then only access features that the API has exposed. If you need more sophistication, then you need to go to the underlying API...) People can also find options to make the parsing interface simpler - for instance using placeholders instead of dynamically constructing SQL. However at some point you have to accept that there is a programmer responsibility to understand the issue and do things right.

Perl offers tools, eg taint mode, to make it easier to do things right. Perl could do more. But no matter what, some of the responsibility must belong to the programmer.

Comment on Re^4: Attack on Perl or Perl's need better PR (again)

Replies are listed 'Best First'.
Re^5: Attack on Perl or Perl's need better PR (again) by Anonymous Monk on Dec 01, 2005 at 19:02 UTC
If you are making the point that human made creations will never be perfect, I'm in 100% agreement. But with some (minor? major? moderate?) effort we could reduce the incidence and severity of bugs by factors of thousands if not millions. In my view, that seems like a goal worth striving for. Along with capabilities, and memory management, we can employ better testing strategies and static typing and other lightweight formal methods. Here, I'll mention some of Les Hatton's publications. I'm only railing against the notion that we're already doing a good job at security. We're not. We need all the help we can get. And better languages will make it a lot easier.	[reply]
Re^5: Attack on Perl or Perl's need better PR (again) by Anonymous Monk on Dec 01, 2005 at 19:30 UTC
Let's do a little rewording... Concurrency is not a language issue for the same reason that it is not a checkbox that you can put on a feature list. Correctly implementing concurrent program is a process. Many things that help concurrency can become language features. Would you agree? I for one disagree. Shared state parallelism (threads) is a huge bucket of worms. Humans really aren't smart enough to use it correctly. What we need are new languages to help us manage concurrency. Erlang and Oz spring to mind. To my mind problems like that scream out language issue. Same goes for security.	[reply]
Re^6: Attack on Perl or Perl's need better PR (again) by tilly (Archbishop) on Dec 02, 2005 at 02:06 UTC
I interpreted "language issue" to mean "something that you solve at the language level", in which case both statements are correct. Apparently you interpret "language issue" to mean "something that you can address at the language level", in which case both statements are absurd. What I meant should have been clarified by my second paragraph.	[reply]
Re^6: Attack on Perl or Perl's need better PR (again) by dragonchild (Archbishop) on Dec 01, 2005 at 19:54 UTC
If you assume that concurrency and security are equivalent issues, then you're absolutely correct. Except, they're not. It's easy to demonstrate - concurrency can cause security issues. Security cannot cause concurrency issues. QED My criteria for good software: Does it work? Can someone else come in, make a change, and be reasonably certain no bugs were introduced?	[reply]
Re^7: Attack on Perl or Perl's need better PR (again) by Anonymous Monk on Dec 01, 2005 at 20:25 UTC
That was called an analogy. YMMV.	[reply]
Re^8: Attack on Perl or Perl's need better PR (again) by dragonchild (Archbishop) on Dec 01, 2005 at 20:29 UTC
Re^9: Attack on Perl or Perl's need better PR (again) by Anonymous Monk on Dec 01, 2005 at 20:59 UTC
Some notes below your chosen depth have not been shown here


Just another Perl shrine
	PerlMonks