Posts by fg_swe

Re: NSA wants more back-doors

As a side business I sell high performance tinfoil hats and specially for you I can give you a 70% discount. Just 300 Euros. Deal ?

Re: NSA ?

I suggest you fasten the tinfoil hat and randomly check the generated assembly code. I am quite sure you will find nothing nefarious, as other people would have found stuff before you and blew the whistle.

Explain

How can it be done "easily" using C++ in such a way that:

1.) Single-Threaded objects/data does not need mutexes and MT-safe ARC.

2.) Multithreaded objects/data is guaranteed to be mutex-protected or MT-safe.

I bet you cannot with the current C++ standard.

Indeed

1.) I worked on automotive software which is successfully used in hundreds of thousands of cars, some of which is ASIL D at max (maybe you use it in the power steering in your BMW, Tesla or Mercedes, maybe you use it in the VW Camper)

2.) Your experience at US aerospace companies validates my point that US aerospace projects are dangerous affairs. The V22 is just the tip of the iceberg. Below we can see F22 and 737MAX.

3.) I suggest you guys on the other side of the pond learn what V-Model development REALLY means. First and foremost, it is about honesty and about "reaping the low hanging fruit first". Have realistic Unit Tests, don't do something fox box-ticking, have realistic HIL tests. I bet your managers are cheating on all of it in the name of "financial performance".

3.2) Having said that, I also know German+other European managers who like to cheat, but apparently on average it is not as bad as in the U.S.

Really ?

How will the compiler force you to not use pointer arithmetics ?

How will the compiler check for accidentally shared thread-global objects and stop compiling ?

How will the compiler stop you from obtaining a pointer to a stack-allocated object and store the pointer somewhere in the heap ?

I am genuinely interested. And I do think Mr Stroustrup is not totally honest.

Also: Economics

GC-based runtimes typically consume twice the RAM of an equivalent C++ or Rust program. Each memory cell consumes power and generates heat. Some applications are constrained by power and heat dissipation. E.g. aerospace, satellites,...

Proper Engineering

If you want to see how proper R&D looks like, look how Suebi(with a bit of British help and an American Pilot) do it:

https://www.youtube.com/watch?v=AkdvKfiaEeg

Noone killed, and better performance( speed, payload, range) than ANYONE since 1970. Nobody comes close.

Re: FALSE

https://de.wikipedia.org/wiki/Eurofighter_Typhoon#Zwischenfälle

https://de.wikipedia.org/wiki/Lockheed_Martin_F-22#Zwischenfälle

"Im April 1992 stürzte der erste YF-22-Prototyp im Landeanflug auf „Edwards“ ab. Testpilot Tom Morgenfeld überstand den Absturz unverletzt. Untersuchungen ergaben, dass die Flugzeug-Software Pilot Induced Oscillations nicht oder nicht hinreichend entgegenwirkte.[133]"#

F22 control creates oscillations:

https://www.youtube.com/watch?v=mbQx89Eklm8

Gripen control algorithm issues:

https://www.youtube.com/watch?v=k6yVU_yYtEc

V22 has an own page for the 51 people it killed out of enemy action

https://en.wikipedia.org/wiki/Accidents_and_incidents_involving_the_V-22_Osprey

FALSE

Apparently you work in accounting, web programming or the like.

There exists software which is - for all practical purposes - perfect:

ABS Brakes

ASR

ESP

Airbus A320 and later Flight Control SW

JÄGER90 Flight Control SW

Space Shuttle Flight Control SW

If this software were not perfect, we would have seen spectacular crashes and dead people. We have seen that with GRIPEN, F22, V22, 737MAX, ARIANE V, but never with JÄGER90, A320, A330, A340, A380 or A400M.

And of course AIRBUS, BOSCH, Continental etc use much better software engineering processes than YOU have ever seen.

OK

So I should write "Sappeur nicely and easily integrates with C++".

Thanks

I find it very hard to reason with some fellow software engineers, who argue like religious nutcases. To them, only Total Purity is acceptable. Black and White.

Thanks for trying to explain to them that less-than-pure improvements can still be important improvements.

Re: JavaScript: Weak Typing

I have been the re-initiator* of the Memory Safe System Programming Idea at around 2009. Rust and Swift have been created after I showed Sappeur to Mozilla and Apple.

Now NSA agrees with me and I am happy. If you don not share my happiness, just go to a different discussion. Thanks.

*Standing on the shoulders of Hoare, Bauer, ICL, Burroughs, MIPM

Re: Misunderstanding

simply using

static std::string sharedString;

and then write-accessing sharedString from two threads will prolly destroy your heap integrity. In Sappeur this will either not compile, or the sharedString will be a "multithreaded" object and protected a mutex. And yes, you still need to use your brain and know what to do to achieve good performance.

Re: Self Hosting

A little bit of assembly level inspection would expose this.

Plenty of embedded sw organizations look at generated assembly, some even line by line source+assembly. Life critical aerospace control, for example.

Plus, there exist automatic protocols to.expose this technique, IF you have a single untainted compiler+os+machine.

Well

Sappeur is translated to C++ and allows you to directly call C or C++ wherever you need that.

Keyword inline_cpp

No need for complicated bindings.

Re: Well

The hackers will have 70% less opportunities. See CVE database.

Real Example

int Socket::send(&char buffer[],int count)

{

var int ret;

if(count>buffer.sz)

{

return -2;

}

inline_cpp[[

ret=0;

while(ret<count)

{

int ret2;

if( tlsConnection == NULL )

{

ret2 = ::send(_handle,buffer._array+ret,count-ret,0);

}

else

{

ret2 = tls_write(tlsConnection,buffer._array+ret,count-ret);

}

if(ret2<=0)

{

return -1;

}

ret=ret+ret2;

}

]]

return ret;

}

Exceptions From Rules

As much as the fire brigade can break rules of the road under pressing circumstances, low level software components will need to be excepted from memory safety.

As with the blue lights and the siren, this must be done in a controlled and careful fashion. Just because you have the siren blaring, does not mean you can run over a crossing. You (as a fire brigade driver) better go slow, check the traffic and then do the crossing.

If this is done correctly, the risks are controllable and acceptable. It does not mean there should be no rules of the road, because the police, fire brigade, red cross must break them then and now.

Well

Strongly typed, memory safe languages do what you say, in a strict fashion. The static checkers you mention are incomplete and heuristically driven.

AppArmor is a different approach; coarse-grained and treating the program as a black box. It makes sense to not mix up memory safety and sandboxing, for clarity of thinking.

No

My Sappeur compiler(coded in C++, but could be self-hosted one day) is far from perfect, but it has found lots of programming errors for me. The resulting code is empirically much more robust than equivalent C++. Much less "inexplicable" behaviour.

That is my experience, believe it or not.

Misunderstanding

Sappeur ENFORCES that multithreaded data structures are protected by Mutexes. In C++ you can easily create a thread-shared variable and forget the mutex to protect this variable. Nasty heap errors will likely result.

Self Hosting

Any Turing-complete language can be self-hosted. Whether that provides value, is not always clear.

There are plenty of self hosted compilers out there: Pascal, Algol, Ada, Modula2, ...

Re: The more things change

So you are posting from Kandahar ?

I suggest an explosion engine bicycle from Yamaha. Your warriors use them to great effect.

Re: Greetings

Apparently, he worked for BOTH NSA and NASA

https://blog.techno-z.at/larry-wall-i-can-do-better-i-know-how-to-write-a-computer-language/

Perl clearly is an NSA thing (agile extraction of needles from a haystack) as opposed to NASA (numerics).

Negotiate

"You can negotiate with a terrorist, but not with a computer guy".

Seriously, you should discover that there is more than just black and white. Real technology progress is about gradual change as opposed to ideological purity.

Re: http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf

Oh yeah, unsafe because not using 400Kloc of OpenSSL niceness ?

Re: Wrong

Boost cannot enforce type safety and especially does nothing to ensure MT memory safety.

Elaborate

how ?

Wrong

C++ does offer some mechanisms towards memory safety, such as smart pointers, operator[] overloading and RAII. BUT - all of this depends on software engineer self-discipline. AND - there is no multithreading race condition safety assurance in C++, whatsoever.

All of this can be achieved by a proper type system, runtime check code and (multithtreaded if needed) ARC.

http://sappeur.ddnss.de/

Multifaceted

I.T. Security has many aspects, one of which is Software Fault Isolation a.k.a. Memory Safety.

A single programming error should not open up the castle for an attacker.

That does not mean other aspects can be ignored.

It is called Computer Science, because it is not a trivial thing.

Re: Better compilers?

OCaml is a LISP variant, correct ?

So it can never achieve the efficiency and realtime capabiities of an imperative language ?

Greetings

I salute my computer science colleagues in Military Intelligence for supporting the trend towards Memory Safety.

Having invented a memory safe language

http://sappeur.ddnss.de/

myself, I am very pleased to be validated by this esteemed* computer science organization.

Memory Safety is the natural progression from firewalls to mandatory access control (SE Linux, AppArmor, sandboxing) to fine-grained Software Fault Isolation.

Applied computer science does have a big problem, which is a lack of practical security. Entire corporations have seen their computer networks destroyed by exploits which are based on a lack of C or C++ memory safety.

http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf

70% of CVE exploits are based on the lack of memory safety of real-world C and C++ programs. Let's plug this hole.

Let's rediscover the Algol Mainframes, Spark ADA, Modula-2, Oberon, MSFT's Singularity OS. Memory Safety is not a new idea, but it had been forgotten.

* see the Perl Language as an example of NSA inventions

Thank You

...for this reasonable and kind comment.

JavaScript: Weak Typing

JavaScript is in some ways memory-safe, but certainly not in the spirit of Rust or Sappeur. For example, JS records don't have a type. Each instance of record can contain other members. Or same named members with different types.

Rust, Sappeur, Spark Ada - they are Strongly Typed

Re: The more things change

I take it you use a horse carriage instead of these newfangled explosion-engine carriages ? Too dangerous !

Yeah, Nihilism

..always helps to stay in the darkness of ignorance. You use it with an additional tinfoil hat.

Mixing Up Things

You confuse Memory Leaks with Memory Safety. Please educate yourself. It is about stopping memory corruption and Virus Injection.

So

..Unix was the wrong turn, we should have gone the Algol Mainframe way instead !

Re: Restrict Export, Save Peace

Both countries must be denied high end electronics, tool machines, chemicals and so on. That would be used to build advanced weapons.

Just look at HIMARS - what makes it extremely dangerous is the reliable GNSS receiver and flight guidance mechanism. One HIMARS is worth easily 100 "dumb" rocket launchers.

Other advanced weapons need even more electronics+informatics, which I will not elaborate here, as we already have enough fires.

Diesel we can make out of coal, if push comes to shove. Look up LEUNA.

Old Tale About the King in the Mine

As the old tale says - the king is not dead, he is only resting somewhere in a mine !

https://www.volksliederarchiv.de/der-alte-barbarossa/