From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by walapai.inria.fr (8.13.6/8.13.6) with ESMTP id q021hLej018133 for ; Mon, 2 Jan 2012 02:43:21 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ArYGAKQKAU/AbSoIe2dsb2JhbABDggWDCqdIIgEBFiYEIYFyAQEFI1YQCwkFDAIZDQICFBgxiA+jB5BhE4EciUozYwSNR4c6kjY X-IronPort-AV: E=Sophos;i="4.71,442,1320620400"; d="scan'208";a="137463286" Received: from einhorn.in-berlin.de ([192.109.42.8]) by mail1-smtp-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 02 Jan 2012 02:43:15 +0100 X-Envelope-From: oliver@first.in-berlin.de Received: from first (e178021033.adsl.alicedsl.de [85.178.21.33]) (authenticated bits=0) by einhorn.in-berlin.de (8.13.6/8.13.6/Debian-1) with ESMTP id q021hE5L000963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 2 Jan 2012 02:43:15 +0100 Received: by first (Postfix, from userid 1000) id 35A4C154036A; Mon, 2 Jan 2012 02:43:14 +0100 (CET) Date: Mon, 2 Jan 2012 02:43:14 +0100 From: oliver To: Gerd Stolpmann Cc: Xavier Leroy , caml-list@inria.fr Message-ID: <20120102014314.GA4960@siouxsie> References: <1325263446.5036.104.camel@samsung> <4EFDEF92.3010204@inria.fr> <20120101125212.GB12851@annexia.org> <4F0097E6.2090701@inria.fr> <1325451843.5036.165.camel@samsung> <20120101232429.GA3818@siouxsie> <1325462283.5036.189.camel@samsung> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1325462283.5036.189.camel@samsung> User-Agent: Mutt/1.5.20 (2009-06-14) X-Scanned-By: MIMEDefang_at_IN-Berlin_e.V. on 192.109.42.8 Subject: Re: [Caml-list] Hashtbl and security On Mon, Jan 02, 2012 at 12:58:03AM +0100, Gerd Stolpmann wrote: [...] > > > What I could imagine is a module Sys.Security where all security > > > features are accessible and configurable, e.g. > > > > I doubt that this makes sense. > > Nearly anything that can be programmed can become a security > > issue, if done wrong; especially things done on the > > operating system level (like Unix module) could become > > a security issue, if things are handled without care. > > Thanks for your argumentative help - by being ignorant you prove my > thesis that typical programmers won't do anything by themselves. The > world is so much trouble, better put the head into the sand, and hope > the attacker won't pick you. (Well, sorry, maybe a bit too harsh, but I > hope you get my point that it is no excuse that also other security > issues may exist). [...] You completely did NOT see what I talked about. I did not say, this problem should be ignored. At the day when I heard from this bug I also was tempted to post to this list here; just someone was faster then me. What I meant was not to ignore the problenm, because there are other problems; I meant, that there is no reason to ship the functionality into Sys.Security, if it belongs to Hashtbl. As you said, it is necessary to point the attention of the programmer to crucial points, this means, that the Hashtbl-Initialization needs to be in the Hashtbl module. The docs for the Hashtbl are the place, where a programmer looks for information on Hashtbles of course, and not in some module in any other place. Especially if the progranmmer is not aware of the problem, it's a necessity to place the information at the place of the module that you want to use. This is good style of documentation and also is rather FPL like. Exporting the Seeds-functionality to some other module is very similar to using global variables in a C program. Put the things where they belong to. And Hashtbl-init belongs to Hashtbl-module. [...] > > A mandatory (not optional) hash-function-parameter > > that must be passed (plus some default hash functions > > with elaborated documentation on the properties of those) > > would make more sense to me. > > The seed is so far optional. Sure, requiring it mandatorily would ensure > it is passed, but I guess programmers would just become used to the > idiom "Hashtbl.create ~seed:0 ()". If the type is an abstract type, which comes from something like Hashtbl.Randomseed and has type t, not type int, this problem would vanish. [...] > > Putting things that need tp be part of the Hash-module > > aside into a Sys.security-module makes these things less > > apparent to the programmer who just wants to use hashes, > > and don't thinks about using hashes might be a security problem. > > If done right, this won't be a problem anymore for the typical user (who You also mentioned, that programmers might be too lazy or are not aware of the problem. Then putting the initialization to some unrelated module is not supporting the programmer to become aware of the problem. Even if the person already knows that there might be some security issues with the hashtables, then I doubt, that the first idea of most programmers would be to look out for something like Sys.Security. Instead I would assume higher frequency of asking mails on this list, about this problem. Ciao, Oliver