[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Barry Shein bzs at world.std.com
Thu Apr 17 03:01:33 UTC 2014

On April 16, 2014 at 15:34 jason.iannone at gmail.com (Jason Iannone) wrote:
 > I can't cite chapter and verse but I seem to remember this zeroing
 > problem was solved decades ago by just introducing a bit which said
 > this chunk of memory or disk is new (to this process) and not zeroed
 > but if there's any attempt to actually access it then read it back as
 > if it were filled with zeros, or alternatively zero it.

Those were my words.

I was talking about kernel memory/disk management.

And then Jason Iannone...
 > Isn't that a result of the language?  Low level languages give that
 > power to the author rather than assuming any responsibility.  Hacker
 > News had a fairly in-depth discussion regarding the nature of C with
 > some convincing opinions as to why it's not exactly the right tool to
 > build this sort of system with.  The gist, forcing the author of a
 > monster like OpenSSL to manage memory is a problem.

This is a potentially huge discussion with many dimensions.

A library like openssl is intended to fit into a huge software
ecosystem much of which is already written in C.

Writing it in another language (other than perhaps C++) would require
a cross-language API or similar (e.g., IPC) which introduces other

So, oftentimes you use a three-prong plug because you are faced with
three-prong receptacles and rebuilding the entire building to a new
standard just isn't practical even if you believe the result presents
a potential shock hazard.

And, if I may editorialize, there's a reason most of that ecosystem is
built in C, it's not only legacy. Other languages have their own
shortcomings, you can't just consider one aspect.

        -Barry Shein

The World              | bzs at TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*

More information about the NANOG mailing list