Image processing routines have had more than their fair share of vulnerabilities. All the more reason to use a language that can eliminate most checks.
The particular interesting thing about -avionics- is the cost of development is dwarfed by the cost of verification. I remember a presentation by Boeing Commercial Aircraft on the 777. They said, "We've done DO-178b Level A in a bunch of languages. For most languages, the cost to develop and the cost to verify is pretty much the same. For Ada [Ada83 - this was in the 90s], the cost to develop in Ada was 25% more than other languages. But the cost to -verify- that Ada was about 1/4 the cost of any other language. DO-178b Verification costs up to 10x development," He wouldn't say just how much that cost for 777, but he strongly implied it was multiple billions of dollars.
And those programs are vulnerable to exploitation due to the lack of bounds checking.
Please produce real numbers for real programs demonstrating a significant cost from bounds-checking.
Seriously, a single instruction bounds-check that prevents a security breach is a damn small price to pay! (Some instruction sets even do this as a side-effect, I think.)
1. It's maybe 1 instruction on most architectures. 2. If you want security, you have to pay for it. 3. In many cases, the compiler can prove the bounds check is not needed! Consider
for index in some_array'range loop ... some_array(index)....
end loop; Unless you modify index (as an "l-value"), the compiler knows the values for index are exactly the bounds of the array (because 'range returns the range of values for the object some_index), so no bounds check is required. If the compiler does detect that index can be modified, it would need to insert a bounds check.
1. No address arithmetic. Arrays are programmed with bounds-checking, usually through dope vectors generated by the compiler. It is a requirement of the language to generate an exception if you try to go beyond the bounds of the array.
2. Ada handles pointers through access types (which, by the way, are always checked before dereferencing to be sure the pointer is not null). There are coding styles and means to do memory management, e.g. setting up a memory pool for a specific access type. Ada95 and beyond includes good support for constructors and destructors. Under some circumstances, the compiler can prove when there are no more extant values for a given access type and reclaim the entire pool.
That being said, if you're not a bit careful, you can program storage leaks in Ada through the normal mechanisms. It's not 100% foolproof. Some competence by the developer is required.
And there are means to escape the restrictions of the language. These have substantial syntactic sugar, so the developer (coder, reviewer, tester) knows "we are now doing something extraordinary. Certain checks provided by the language no longer apply here." In my experience, the most skilled developers work on this stuff (carefully) and then package it up (pun intended!) for use by the rest of the project.
And the Ariadne 5 incident is interesting, in part because the developers -turned off- the checks provided by the language!!! That's kinda like deciding you don't need seat belts in your car driving down the highway, because it passed crash testing.
#1 is not true. See https://sourceforge.net/projec... There's been a GPL Ada compiler for at least 30 years. The Ada Core product is open source, you pay for maintenance.
For #2, the debate in many respects boils down to "simple programs in complex language" or "complex programs in a simple language." But see http://www.adacore.com/sparkpr... (and there are free versions of that, too), for a subset of Ada specifically designed to support proof-of-correctness.
In part it's a cultural thing. Ada is considered "complex and verbose" (but compare with Java). Ada is, of course, from the DoD, so it's "obviously bad." Most importantly, Ada requires a bit more thought before you jump into the code.
The interesting thing about Ada is that a skilled practitioner learns how to use the language to his advantage. You code so the compiler checks as much as it can, so you can concentrate on things the compiler can't check. When the compiler and you agree the code is correct, it probably is, at least with respect to typos and coding errors.
One big criticism I have with most languages, even those with a type system, is they don't support strongly typed scalars. But that's where type errors are most common. I don't think I ever tried to "add apples to oranges". But I have tried to add "count of apples" to "count of oranges" (or more specifically, once tried to add horizontal pixel location to vertical pixel location.)
Furthermore, those who think their C code is "close to the machine" don't know much about modern machine architectures. Compilers do a LOT MORE work than they did in the days of the PDP-8/PDP-11 or original x86 family. Ada (among other 'higher level' languages) provides the modern compiler with a lot more information for code selection and optimization. For example, register flushing is a lot easier to manage in Ada because pointer types are always declared as such, and unless there are specific language constructs, the compiler can prove a given variable will not be accessed through its address (and therefore doesn't have to spill the register to memory.) That's a simple example, compiler optimizations and instruction scheduling are very complex topics.
Finally, I've always thought C syntax was harmful, because it's so easy to make a mistake, either through ignorance or simple typo ("=" vs "==").
I know experts can do amazing things in C. Aren't that may experts out there slinging code, and most of the software we use these days shows it!!
Even when the identifiers were in a foreign language... I worked for Siemens US research lab back in the '80s, and saw a fair amount of code that looked like
for Untzelgerflekenzet in 1.. Ausplotzenfargang loop
Geinengemacht (Zealer => Untzelgerflekenzet, Zugemacht => Sptizelgang);
end loop;
(mostly made up German-sounding words there... I knew a bit of German, but the words you learn in high school German rarely made it into computer code.)
"FB brings the world closer together by reducing the distance between ads, and making it more convenient for FB's customers to reach more of FB's product."
If I'm reading this (a 'petition' filed with the FCC) correctly, commenting expired a week ago: https://apps.fcc.gov/edocs_pub... However, the link in the original post shows new comments.
Has anyone figured out if it's possible to add a comment? If so, what are you using for the "proceedings" field here: https://www.fcc.gov/ecfs/filin...
That's a good point. What are the limits of ethical lobbying? I think there should be a clear limit when it comes to influencing the selection of your regulator.
It's hard to believe Uber didn't know what he was bringing with him (and the legal problems that could cause. Of course, there were also ethical issues, but that's not part of Uber's vocabulary, apparently.)
But I think it's a significant start: 1. Once a DID is identified as coming from a scammer, propagating that information should be pretty easy (akin to the mechanisms now used for detecting and reporting malicious websites.) 2. This also provides an easier time for Do Not Call registries to 'follow the money'.
It's not sufficient to cure the problem, as you point out.
What would Apple/Google use for that privacy feature? We -know- Caller ID numbers are forged all the time. Is there some other signature that comes with the incoming call?
I repeat my call for unforgeable Caller ID. If the Telco can't verify the actual caller phone number and identity, it should present "untrusted" or some words to that effect.
The argument 'this can't be done' doesn't sound credible to me, it implies the Phone Company doesn't know who to bill. Yes, this could be a significant change to Telco switches. But they've been facilitating these kinds of frauds for way too long.
This will not stop nuisance calls, but it will make it MUCH EASIER to block or ignore them.
The way I heard this was a BOAC 707 (predecessor to British Airways) was on a flight from LHR to FRA, and was having problems finding the airport in the fog.
BOAC pilot: Request vectors to runway. German ATC: I gave you vectors. What is wrong, have you never flown to Frankfurt before? BOAC pilot: Yes, but that was back in 1944, and I didn't land.
Slashdot Mirror
Image processing routines have had more than their fair share of vulnerabilities. All the more reason to use a language that can eliminate most checks.
The particular interesting thing about -avionics- is the cost of development is dwarfed by the cost of verification. I remember a presentation by Boeing Commercial Aircraft on the 777. They said, "We've done DO-178b Level A in a bunch of languages. For most languages, the cost to develop and the cost to verify is pretty much the same. For Ada [Ada83 - this was in the 90s], the cost to develop in Ada was 25% more than other languages. But the cost to -verify- that Ada was about 1/4 the cost of any other language. DO-178b Verification costs up to 10x development," He wouldn't say just how much that cost for 777, but he strongly implied it was multiple billions of dollars.
And those programs are vulnerable to exploitation due to the lack of bounds checking.
Please produce real numbers for real programs demonstrating a significant cost from bounds-checking.
Seriously, a single instruction bounds-check that prevents a security breach is a damn small price to pay! (Some instruction sets even do this as a side-effect, I think.)
1. It's maybe 1 instruction on most architectures.
... some_array(index) ....
2. If you want security, you have to pay for it.
3. In many cases, the compiler can prove the bounds check is not needed!
Consider
for index in some_array'range loop
end loop;
Unless you modify index (as an "l-value"), the compiler knows the values for index are exactly the bounds of the array (because 'range returns the range of values for the object some_index), so no bounds check is required. If the compiler does detect that index can be modified, it would need to insert a bounds check.
1. No address arithmetic. Arrays are programmed with bounds-checking, usually through dope vectors generated by the compiler. It is a requirement of the language to generate an exception if you try to go beyond the bounds of the array.
2. Ada handles pointers through access types (which, by the way, are always checked before dereferencing to be sure the pointer is not null). There are coding styles and means to do memory management, e.g. setting up a memory pool for a specific access type. Ada95 and beyond includes good support for constructors and destructors. Under some circumstances, the compiler can prove when there are no more extant values for a given access type and reclaim the entire pool.
That being said, if you're not a bit careful, you can program storage leaks in Ada through the normal mechanisms. It's not 100% foolproof. Some competence by the developer is required.
And there are means to escape the restrictions of the language. These have substantial syntactic sugar, so the developer (coder, reviewer, tester) knows "we are now doing something extraordinary. Certain checks provided by the language no longer apply here." In my experience, the most skilled developers work on this stuff (carefully) and then package it up (pun intended!) for use by the rest of the project.
And the Ariadne 5 incident is interesting, in part because the developers -turned off- the checks provided by the language!!! That's kinda like deciding you don't need seat belts in your car driving down the highway, because it passed crash testing.
#1 is not true. See https://sourceforge.net/projec... There's been a GPL Ada compiler for at least 30 years. The Ada Core product is open source, you pay for maintenance.
For #2, the debate in many respects boils down to "simple programs in complex language" or "complex programs in a simple language." But see http://www.adacore.com/sparkpr... (and there are free versions of that, too), for a subset of Ada specifically designed to support proof-of-correctness.
In part it's a cultural thing. Ada is considered "complex and verbose" (but compare with Java). Ada is, of course, from the DoD, so it's "obviously bad." Most importantly, Ada requires a bit more thought before you jump into the code.
The interesting thing about Ada is that a skilled practitioner learns how to use the language to his advantage. You code so the compiler checks as much as it can, so you can concentrate on things the compiler can't check. When the compiler and you agree the code is correct, it probably is, at least with respect to typos and coding errors.
One big criticism I have with most languages, even those with a type system, is they don't support strongly typed scalars. But that's where type errors are most common. I don't think I ever tried to "add apples to oranges". But I have tried to add "count of apples" to "count of oranges" (or more specifically, once tried to add horizontal pixel location to vertical pixel location.)
Furthermore, those who think their C code is "close to the machine" don't know much about modern machine architectures. Compilers do a LOT MORE work than they did in the days of the PDP-8/PDP-11 or original x86 family. Ada (among other 'higher level' languages) provides the modern compiler with a lot more information for code selection and optimization. For example, register flushing is a lot easier to manage in Ada because pointer types are always declared as such, and unless there are specific language constructs, the compiler can prove a given variable will not be accessed through its address (and therefore doesn't have to spill the register to memory.) That's a simple example, compiler optimizations and instruction scheduling are very complex topics.
Finally, I've always thought C syntax was harmful, because it's so easy to make a mistake, either through ignorance or simple typo ("=" vs "==").
I know experts can do amazing things in C. Aren't that may experts out there slinging code, and most of the software we use these days shows it!!
Even when the identifiers were in a foreign language... I worked for Siemens US research lab back in the '80s, and saw a fair amount of code that looked like
for Untzelgerflekenzet in 1 .. Ausplotzenfargang loop
Geinengemacht (Zealer => Untzelgerflekenzet, Zugemacht => Sptizelgang);
end loop;
(mostly made up German-sounding words there... I knew a bit of German, but the words you learn in high school German rarely made it into computer code.)
$65billion/320million people = ~$200 per person.
I look forward to his contribution to my welfare.
IANAL, but I seem to recall there was a lawsuit over mandatory arbitration clauses in stockholder/security broker contracts.
Same Area Code and prefix as my cell phone. Caller started talking about vacation, and I hung up immediately.
So whatever the Feds are doing, IT'S NOT WORKING YET!
"FB brings the world closer together by reducing the distance between ads, and making it more convenient for FB's customers to reach more of FB's product."
NSA had no comment.
Thanks, my comment submitted.
If I'm reading this (a 'petition' filed with the FCC) correctly, commenting expired a week ago: https://apps.fcc.gov/edocs_pub... However, the link in the original post shows new comments.
Has anyone figured out if it's possible to add a comment? If so, what are you using for the "proceedings" field here:
https://www.fcc.gov/ecfs/filin...
I think I know 2 people that would get this ad. I don't know about the cancer thing, but they match the other criteria.
That's a good point. What are the limits of ethical lobbying? I think there should be a clear limit when it comes to influencing the selection of your regulator.
like "Don't be Evil" to violate with its behavior.
It's hard to believe Uber didn't know what he was bringing with him (and the legal problems that could cause. Of course, there were also ethical issues, but that's not part of Uber's vocabulary, apparently.)
It's my vague recollection that at least one other airline had a power-related IT outage within the last year or so.
I would have thought "reliable power at scale" was a solved problem.
I once got called where the Caller ID was -my own number-, and I'm not the only person this has happened to.
But I think it's a significant start:
1. Once a DID is identified as coming from a scammer, propagating that information should be pretty easy (akin to the mechanisms now used for detecting and reporting malicious websites.)
2. This also provides an easier time for Do Not Call registries to 'follow the money'.
It's not sufficient to cure the problem, as you point out.
What would Apple/Google use for that privacy feature? We -know- Caller ID numbers are forged all the time. Is there some other signature that comes with the incoming call?
I repeat my call for unforgeable Caller ID. If the Telco can't verify the actual caller phone number and identity, it should present "untrusted" or some words to that effect.
The argument 'this can't be done' doesn't sound credible to me, it implies the Phone Company doesn't know who to bill. Yes, this could be a significant change to Telco switches. But they've been facilitating these kinds of frauds for way too long.
This will not stop nuisance calls, but it will make it MUCH EASIER to block or ignore them.
The way I heard this was a BOAC 707 (predecessor to British Airways) was on a flight from LHR to FRA, and was having problems finding the airport in the fog.
BOAC pilot: Request vectors to runway.
German ATC: I gave you vectors. What is wrong, have you never flown to Frankfurt before?
BOAC pilot: Yes, but that was back in 1944, and I didn't land.