From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,71171f53c22d92b5 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-11-18 20:13:59 PST Path: archiver1.google.com!news2.google.com!news.maxwell.syr.edu!elnk-pas-nf1!elnk-nf2-pas!newsfeed.earthlink.net!wn14feed!wn13feed!worldnet.att.net!bgtnsc04-news.ops.worldnet.att.net.POSTED!not-for-mail From: Dave Thompson Newsgroups: comp.lang.ada Subject: Re: C's trikery semantic opens up backdoor in new Linux kernel Message-ID: <7uqlrv4l846co3ear20eotlkaj2t6aioho@4ax.com> References: <3FB1A63C.9080200@nowhere.com> X-Newsreader: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Wed, 19 Nov 2003 04:13:57 GMT NNTP-Posting-Host: 12.76.14.109 X-Complaints-To: abuse@worldnet.att.net X-Trace: bgtnsc04-news.ops.worldnet.att.net 1069215237 12.76.14.109 (Wed, 19 Nov 2003 04:13:57 GMT) NNTP-Posting-Date: Wed, 19 Nov 2003 04:13:57 GMT Organization: AT&T Worldnet Xref: archiver1.google.com comp.lang.ada:2666 Date: 2003-11-19T04:13:57+00:00 List-Id: On Wed, 12 Nov 2003 14:38:06 +0100, Duncan Sands wrote: > > >IMHO the real problem is that > > >uid is not an opaque type and can > > >be changed with a simple assignment. Much better if that required > > >a function call. > > > > You can almost always find a workaround. The problem is to use it > > everytime and force people to use it. > > I was under the impression that (using preprocessor trickery) it was possible > to get the equivalent of an Ada private type in C. Then everyone is forced > to use function calls to get/set the value, unless they do type casts etc. > In all cases, abuse would stand out more than it does now. > There's nothing you can do with the C preprocessor that can't be done directly in source -- because the preprocessor is a source-to-source transform (actually source to lexed-source, but that's equivalent in capability). The only compiler-enforced opaque types in C are incomplete aka "forward" struct and union tags. And, probably sadly, there are enough places in most large C programs where casts are legitimately used that a few more don't stand out that much. You can make it harder to find/see things, like typedefs, by burying them in #include files, perhaps several layers deep in confusing #if's, but they're there somewhere and someone who goes to the effort can find and use them. You can use BIG_UGLY_NAMES that attract scrutiny if actually written in source -- like Ada's UNCHECKED_* but more so because you can't substitute lowercase. For assignment, you can with a little extra work create and expose only a const pointer to data that is actually variable; this then can be assigned to only in code that has the "variable view" OR by casting the pointer to non-const, which is at least mildly inconvenient. - David.Thompson1 at worldnet.att.net