I've done a fair amount of work on persistent object systems, starting with the Thor distributed storage system and more recently, the Fabric system. I used to think the point of persistent object systems was to make programming easier. Lately I think security might be an even stronger argument. For programmers, the great thing about persistent … Continue reading Deserialization considered harmful: the security case for persistent objects
I just inadvertently ran a poorly controlled experiment on the relative virtues of these three programming languages, at least for the job of writing compilers. Despite the nonexistent experimental protocol, I thought the results were pretty interesting—even if they may irritate some of my PL colleagues. In my compilers course at Cornell (CS 4120), I let the … Continue reading Java vs. OCaml vs. Scala
There has been much nice work lately on proving that complex software is written correctly, including components like operating systems, compilers. But it's hard to see how to scale these heroic efforts to the vast amount of software that is being written every day. It's simply too hard to build software that is correct and secure. … Continue reading Limits of Heroism
The dream of building provably correct software seems to be coming closer to reality. It is very cool to see all the recent work on the systems community on building provably correct systems components. At the same time, I'm worried that the training of software developers actually involves less formal logic compared to a generation ago. … Continue reading The logic deficit
Bad people can make your computer do the wrong things and tell the bad people about stuff they are not supposed to know. People try to make computers that only do the right things. But it is hard to tell a computer what it should do because you have to think of all the mean … Continue reading What I do
Neil deGrasse Tyson received a lot of derision for calling for "unhackable systems" recently. I'm a bit perplexed by this response. On the positive side, it's clear that it is widely understood that current computer systems are very far from unhackable. On the negative, the common understanding (at least among those on Twitter) seems to … Continue reading Unhackable computers?
In 1991 Richard Gabriel wrote a insightful and influential article about the difference in designing software systems in the "MIT Style" and "New Jersey Style" (AT&T), where he termed the latter "worse is better". He argued that when building software, the "MIT style" of getting the design "right" (at the cost of complexity in implementation) … Continue reading Worse is Better vs. Better is Better
We released a new version of Fabric recently, version 0.2.2. It is much faster and more robust than the previous release. It's what we used for our NSDI 2014 paper on warranties as a performance comparison point. We also released the version of Fabric that has warranties in it. That's still a bit less robust, … Continue reading New Fabric release
Something we in the security community seem to ignore is that it's not enough to have an enforcement mechanism. Of course, you also need policies and you even need a semantics for those policies. But even with all of that, you still don't have enough. Because security does not happen by accident; it requires careful … Continue reading Limits of Enforcement
Danfeng Zhang has released his tool for diagnosing errors from static analysis, which was described in our paper in POPL 2014. The tool is now called SHErrLoc, for Static Holistic Error Locator. We hope that this tool will be useful to others doing research on localizing static errors.