Deserialization considered harmful: the security case for persistent objects

I've done a fair amount of work on persistent object systems, starting with the Thor distributed storage system and more recently, the Fabric system. I used to think the point of persistent object systems was to make programming easier. Lately I think security might be an even stronger argument. For programmers, the great thing about persistent … Continue reading Deserialization considered harmful: the security case for persistent objects

Java vs. OCaml vs. Scala

I just inadvertently ran a poorly controlled experiment on the relative virtues of these three programming languages, at least for the job of writing compilers. Despite the nonexistent experimental protocol, I thought the results were pretty interesting—even if they may irritate some of my PL colleagues. In my compilers course at Cornell (CS 4120), I let the … Continue reading Java vs. OCaml vs. Scala

Worse is Better vs. Better is Better

In 1991 Richard Gabriel wrote a insightful and influential article about the difference in designing software systems in the "MIT Style" and "New Jersey Style" (AT&T), where he termed the latter "worse is better". He argued that when building software, the "MIT style" of getting the design "right" (at the cost of complexity in implementation) … Continue reading Worse is Better vs. Better is Better

SHErrLoc tool released

Danfeng Zhang has released his tool for diagnosing errors from static analysis, which was described in our paper in POPL 2014. The tool is now called SHErrLoc, for Static Holistic Error Locator. We hope that this tool will be useful to others doing research on localizing static errors.