[liberationtech] Programming language for anonymity network

Tue Apr 22 09:54:27 PDT 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Stevens,

I think it would be irresponsible to start a new project in C or C++
given the enormous number of security issues caused by memory handling
bugs in C and C++ code. Here's a quote from a Debian security advisory
I just received, which is typical of these advisories:

"Multiple memory safety errors, out of bound reads, use-after-frees
and other implementation errors may lead to the execution of arbitrary
code, information disclosure or denial of service."

These are entire classes of bugs that don't exist in safer languages.
Avoidable bugs like this are found every day in widely used, open
source software. Software that isn't widely used and open source
presumably has a similar density of bugs, but they're undiscovered or
undisclosed.

C and C++ programmers seem to think that memory handling bugs are
something that happens to other people. They're not. Every programmer
in every language makes mistakes, but in C and C++ simple mistakes can
have subtle and disproportionately serious consequences.

Cheers,
Michael

On 18/04/14 09:26, Stevens Le Blond wrote:
> 
> Hello,
> 
> We are a team of researchers working on the design and
> implementation of a traffic-analysis resistant anonymity network
> and we would like to request your opinion regarding the choice of a
> programming language / environment. Here are the criteria:
> 
> 1) Familiarity: The language should be familiar or easy to learn
> for most potential contributors, as we hope to build a diverse
> community that builds on and contributes to the code.
> 
> 2) Maturity: The language implementation, tool chain and libraries 
> should be mature enough to support a production system.
> 
> 3) Language security: The language should minimize the risk of
> security relevant bugs like buffer overflows.
> 
> 4) Security of runtime / tool chain: It should be hard to 
> inconspicuously backdoor the tool chain and, if applicable,
> runtime environments.
> 
> To give two concrete examples:
> 
> Using the C language + deterministic builds is an attractive option
> with respect to 1), 2) and 4), but doesn’t provide much regarding
> 3).
> 
> Java does better with respect to 3), however, it trades some of 3)
> and 4) as compared to C. Specifically, we are concerned that large
> runtimes may be difficult to audit. A similar argument may apply to
> other interpreted languages.
> 
> Given these criteria, what language would you choose and for what 
> reasons? We would also appreciate feedback regarding our criteria.
> 
> All the best, David, Nick, Peter, Stevens, and William
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTVp7DAAoJEBEET9GfxSfMQMAIAL/P3WfYgLeNe9oa5SQhtTEO
JXdP41q7UNS1ZznRMY+gsKLNZr3bjaSfJiLqALVkNl8XpHQCAbMwFowxtmkcvah/
7ZwXhT2Y2OT3DwobnT/173T611I3+w6QG4AJULmVt02mU01XeUuN23UPVYNjOZ/M
ZQrbZ6E45kes7Qq2TAG8FwK4tTnmjzzEyr9W0VOH/x9j1+oes4t2BHAM8cpb7+cr
E0aJLAJCth0ICt0nK2Ms6R1T7NyrgdzQLI+YJ3PGiyz5ajxyEfohrvfPkfPPeAEW
nmLly6GSga/gmQzx7yLNgUj7h4tD1IMkC5CTWu4Yd1kd2LLF8kEto03rPf6+Au0=
=GMPw
-----END PGP SIGNATURE-----