[Haskell-cafe] US Homeland Security program language security risks

Yitzchak Gale gale at sefer.org
Wed Jan 9 04:06:01 EST 2008


Galchin Vasili wrote on Friday, January 4:
>>  I stumbled across this page. It seems that Haskell and other
>> strongly typed functional languages like Ml/OCaml will fare much,
>> much better, e.g. buffer overrun. Thoughts . .... comments.

Bulat Ziganshin wrote:
> for me, it looks like saying that haskell better uses CPU registers :)
> the truth is that modern languages (including Java/C#) doesn't use
> buffers directly. i don't have experience of their usage, but for
> Haskell i had memory referencing problems only when using unsafe*
> tricks

Interestingly enough, a few days after this exchange, the
first public report was released from a large survey funded
by US Homeland Security on security of open source
projects. The survey was carried out by a company
called Coverity.

Among the projects making top grade for security - apparently
far better than most proprietary products, though complete
information about that is not public - were PHP, Perl, and
Python.

PHP? Come on, can't we do at least as well? But right now,
there is a technical impediment to the participation of
Haskell: the Coverity project currently only supports
projects written in C, C++, and Java. Haskell compilers
are often written in Haskell.

Any ideas? Perhaps Coverity's interest could be
piqued if they were made aware of Haskell's emergence
as an important platform in security-sensitive
industries such as finance and chip design, and of
the significant influence that Haskell is having on the
design of all other major programming languages.

The home page for the Coverity open source project
is at:

http://scan.coverity.com/

Some recent press coverage:

http://it.slashdot.org/article.pl?sid=08/01/09/0027229

http://www.zdnet.com.au/news/security/soa/11-open-source-projects-pass-security-health-check/0,130061744,339284949,00.htm

http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229

-Yitz


More information about the Haskell-Cafe mailing list