spectre and the end of langsec ~~ https://wingolog.org/archives/2018/01/11/spectre-and-the-end-of-langsec …
-
-
Replying to @andywingo
Calling it the death of langsec feels excessive. Even if language model can’t cover every cranny of the actual operation of the program, most bugs are stupid and I’d be happy to even exclude those. Point was never to guarantee complete correctness. cc
@sergeybratus@maradydd1 reply 0 retweets 5 likes -
I'm a little more optimistic than that.
@andywingo's entirely right, there's a lot of basic research that still remains to be done, but I don't necessarily see that as a bad thing. (1/2)3 replies 1 retweet 3 likes -
As all proofs rely on axioms, a LangSec one relies on "axioms" of a CPU. If CPU breaks such, proof's broken
2 replies 0 retweets 6 likes -
Replying to @sergeybratus @maradydd and
C'mon. CPUs with formal semantics and a verified implementation are on the horizon. *silently nods at RISC-V and two 34C3 talks*
2 replies 0 retweets 6 likes -
Replying to @andreasdotorg @maradydd and
And these kinds of CPUs won't arrive a minute too soon :)
1 reply 0 retweets 3 likes -
Replying to @sergeybratus @maradydd and
And still, it's a sound win for langsec if we've pushed bugs so far that we now have to look at hardware bugs.
1 reply 0 retweets 6 likes -
Replying to @andreasdotorg @sergeybratus and
No, there's still plenty of low-hanging fruit. Consider that paper I tweeted the other day about parser differentials in X.509 hostname verification.
1 reply 0 retweets 3 likes
Totally not calling that we're there yet. But even if we were, the premise of the above article would be wrong.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.