On Wed, Jan 9, 2019 at 7:55 PM 'Thomas Bushnell, BSG' via golang-nuts < golang-nuts@googlegroups.com> wrote:
> > I'm curious about why transpilation would have significantly mitigated the > Heartbleed bug. > > Heartbleed is a bug which relies on two things: - Failure to do proper bounds checking - Allocation of a buffer which is not initialized to some zero-value, and which straddles memory it shouldn't. Many programming languages are constructed such that they address both of the above problems at the semantics level, and thus they avoid the really dangerous part of the bug, which is the leak of information, downgrading the bug to a denial of service attack, or even also mitigating that part of the bug. Array access is checked against the arrays bounds, and buffer allocated memory is properly 0-initialized before use. Compilation from one language to another might have the side-effect of changing the semantics of the program because of the above observations. Thus making a previously unsafe program safe. In principle we want to be clever: augment the program with new safety semantics, but without changing the meaning of the rest of the program in any way. Given there is a very large body of C code out there, live, we want to take an approach like the above: - A rewrite, into say Rust because it is currently popular, runs the risk of re-introducing faults in the programs which were removed through corrections over the years. - We rewrite too much, where we should reuse. - C is a remarkably stable programming language in that most older C code still runs in this day and age. More or less, there are some caveats, which the compilation idea ought to address. Many modern languages have a tremendous amount of bit-rot in the sense even 2-3 year old programs now utter fail to run. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
