[langsec-discuss] so what does langsec have to say about heartbleed?
munin at mimisbrunnr.net
Tue Apr 8 23:50:44 UTC 2014
There's a huge body of academic literature dealing with quantifying
information disclosure from applications and ensuring that
applications don't leak sensitive information, either explicitly or
implicitly (including via timing-based side channels, which is very
exciting). This includes both the construction of programming
languages that specify security/integrity of data the program is
working on, and, construction of type systems and hardware that
enforce security boundaries, as well as some amusing proofs of
non-existence with regards to some kinds of policy enforcement
The keywords you want are "noninterference" and "declassification".
On 04/08/2014 07:24 PM, travis+ml-langsec at subspacefield.org wrote:
> So I'm wondering, apart from using buffer-safe languages (which
> is obviously the Right Thing), is there something like
> taint-checking that we could do in programming languages to prevent
> this sort of thing?
> _______________________________________________ langsec-discuss
> mailing list langsec-discuss at mail.langsec.org
More information about the langsec-discuss