[148815] in cryptography@c2.net mail archive
Re: [Cryptography] how reliably do audits spot backdoors?
daemon@ATHENA.MIT.EDU (Jonathan Thornburg)
Sat Dec 28 20:18:10 2013
X-Original-To: cryptography@metzdowd.com
Date: Sat, 28 Dec 2013 15:16:30 -0800 (PST)
From: Jonathan Thornburg <jthorn@astro.indiana.edu>
To: cryptography@metzdowd.com
In-Reply-To: <8C8AABDF-7093-436C-983C-A2B57E7E5355@lrw.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sat, 28 Dec 2013, Jerry Leichter wrote:
> It really depends on what you're doing. Java only *appears* to
> do it all for you; while you can't get the traditional memory leak
> (memory to which no accessible pointers exist), you can easily build
> up piles of guck that's pointed to by hash table entries you forgot
> to clean up, for example. And the GC doesn't help you with non-memory
> resources. [[...]]
A related point, which seems relevant in view of the recent thread on
whether all-integer-arithmetic-modulo-2^N is (paraphrasing) "logical"
or "evil":
In C, signed-integer size and overflow semantics are a "quality of
implementation" issue, i.e., a C compiler is allowed-but-not-required
to trap signed integer overflow. E.g., gcc supports the '-ftrapv'
option which generates traps for signed overflow on addition, subtraction,
and multiplication operations. C unsigned integers have (guaranteed)
modulo-2^N arithmetic semantics.
In Java, ONLY 32-bit signed integers are available; there are NO unsigned
integers and no 64-bit (or other-length) integers available. Moreover,
integer overflow checking is forbidden, i.e., if you take i = 2147483647
and add one to it, the result is REQUIRED to be -2147483648.
In C++, native integers are the same as C, but the language permits one
to define (say) an integer-with-guaranteed-overflow-checking class; other
code can then rely on overflows being caught.
--
-- "Jonathan Thornburg [remove -animal to reply]" <jthorn@astro.indiana-zebra.edu>
Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
"There was of course no way of knowing whether you were being watched
at any given moment. How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork. It was even conceivable
that they watched everybody all the time." -- George Orwell, "1984"
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
