Deserialization considered harmful: the security case for persistent objects

I've done a fair amount of work on persistent object systems, starting with the Thor distributed storage system and more recently, the Fabric system. I used to think the point of persistent object systems was to make programming easier. Lately I think security might be an even stronger argument. For programmers, the great thing about persistent … Continue reading Deserialization considered harmful: the security case for persistent objects

Worse is Better vs. Better is Better

In 1991 Richard Gabriel wrote a insightful and influential article about the difference in designing software systems in the "MIT Style" and "New Jersey Style" (AT&T), where he termed the latter "worse is better". He argued that when building software, the "MIT style" of getting the design "right" (at the cost of complexity in implementation) … Continue reading Worse is Better vs. Better is Better

SHErrLoc tool released

Danfeng Zhang has released his tool for diagnosing errors from static analysis, which was described in our paper in POPL 2014. The tool is now called SHErrLoc, for Static Holistic Error Locator. We hope that this tool will be useful to others doing research on localizing static errors.