| |||||||||||||
Are they using the right technology?Are they using the right technology?Posted May 23, 2012 22:13 UTC (Wed) by khim (subscriber, #9252)In reply to: Are they using the right technology? by hp Parent article: A Tale of Two Pwnies (Part 1)
The higher-level languages all abstract these things away too much, or don't expose them at all, so you wouldn't have enough control to do what Chrome does. The reality is even worse. All such high-level supersafe languages are either slow as molasses or have huge core with JITs and other PhD-worthy components which in practice end up even less secure then Chrome. Don't forget that number one attack vector is not even MSIE nowadays, but JRE plugin and the second one is Adobe's Flash (which supposedly uses 100% safe ActionScript). Talk about safe languages :-)
(Log in to post comments)
Are they using the right technology? Posted May 23, 2012 23:19 UTC (Wed) by dashesy (subscriber, #74652) [Link]
I always learn from good comments like this. I should bookmark this, I think it will come handy, thanks.
Are they using the right technology? Posted May 24, 2012 0:17 UTC (Thu) by nix (subscriber, #2304) [Link]
The key here is that translators, optimizers, and language runtimes are all very complex beasts -- more complex than almost anything else written in them (other than some scientific code, I suppose). Since complexity brings insecurity, any translator designed to accept arbitrary code from potentially malicious sources is going to be a source of insecurity in and of itself, before you start considering the security properties of the languages it translates to or from.
Are they using the right technology? Posted May 24, 2012 16:47 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
That's why there is interest in pushing type safety down to assembly with TALs (typed assembly languages). It'll help to eliminate at most of the 'buffer overflow' type bugs.
And TAL checkers are fairly simple and small, so they can be thoroughly audited.
|
|||||||||||||