On Tue, 16 Apr 2013 14:05:39 +0200
Florian Weimer <fweimer(a)redhat.com> wrote:
On 04/15/2013 08:17 PM, Miloslav Trmač wrote:
> Sure, moving away from C/C++ does not make programs
> completely secure; however, on average, C/C++ programs
> are noticeably less secure (because most vulnerabilities
> that can happen in higher-level languages can also happen
> in C, but not the other way around).
To illustrate this point, here's a fairly concrete
example: If you have got a program that is written in a
memory-safe language which also provides some form of
encapsulation, it is possible to demonstrate convincingly
(*) that a software module which provides an
encryption/decryption service never leaks the key
material. If there is no memory safety, other code in the
program could peek at the key bits, and encapsulation is no
longer guaranteed. What should be a local property of the
module now turns into a global property of the program,
making review more difficult.
(*) As soon as cryptography is involved, mathematically
rigorous results are the exception.
Memory-safe languages don't protect against key material
being left un-zeroed in pages, nor against side-channel
attacks due to non-constant operation timing, power, etc.
Sure there is a certain class of problems you aren't going to
get in Python that you are in C, but it's not a panacea.