Re: 'private' and Privacy

[stefan-lucks@see-the.signature]

On Tue, 7 Jul 2009, Rick wrote:

> I have:
> 
>    KEYPAD_ROWS_COUNT : constant Positive := 2;
>    -- The number of rows on a keypad.
> 
>    KEYPAD_COLUMNS_COUNT : constant Positive := 2;
>    -- The number of columns on a keypad.
> 
>    type Keys_Type is array
>      (1 .. KEYPAD_ROWS_COUNT, 1 .. KEYPAD_COLUMNS_COUNT)
>    of Gtk.Key_Button_Pkg.Gtk_Key_Button_Access;
>    --Intermediate, addressable storage of keys for the keypad.

How about this?

     -- solution 1

     type Keys_Type is array 
       (Integer range <>, Integer range <>) 
     of Item; 

     function Keys_Type_Create return Keys_Type is ...

This allows to actually create constrained Keys_Type arrays without making 
Keypad_Rows_Count and -_Columns_Count public. 

> I am trying to find a way to ensure that the user only addresses items
> in the array in the manner I provide rather than making use of the
> information clearly visible about the range of the array.  I can use
> functions instead of constants to define array range values but they
> have to be fully declared before I define the array - and this exposes
> that which I wish to remain private (the actual range).

Perhaps, what you want is the following: 

     -- solution 2

     type Keys_Type is limited private;

     function Get(KT: Keys_Type; X, Y: Integer) return Item;
     procedure Put(KT: Keys_Type; X, Y: Integer; It: Item); 

     ...

     private

       type Keys_Type is array(Secret_1 .. Secret_2, Secret_3 .. Secret_4) 
            of Item;

     end;

> Isn't this a contradiction in terms, or _is_ there a way to retain
> 'Privacy'?

Depends on what you mean by "privacy". For solution 1, your adversary/user 
would have to write

    X: Keys_Type := Keys_Type_Create;

and then could access X(I,J) -- but there are legal ways in Ada to figure 
out the ranges of X. 

Solution 2 requires to write the ranges into the private part of your 
spec. Private means, you can't use it, but the compiler must know -- and 
you can read it. (It always confused me, that the designers of Ada did put 
two different things into the same file: the specification for the user, 
i.e., the programmer going to "with" a package, and the private part, 
which actually is meant to be "compiler only".)

You can combine solution 1 and solution 2, to avoid explicitely writing 
your ranges in the spec. But whoever is able to read the implementation of 
Create_Key_Type still can figure out the ranges. 

Even if your user/adversary has no access to the source code of that 
implementation, what are you going to do if your user calls Put or Get 
with invalid indices? If you just raise an exception, the user could 
search for the ranges. If the lower bounds ("Secret_1" "Secret_3" above) 
are known (you seem to assume them to be 1), the user/adversary can find 
the secret constants KEYPAD_ROWS_COUNT and KEYPAD_COLUMNS_COUNT by running 
a binary search for each of the constants.

But what is the problem you really want to solve? 

If you need to protect confidential constants, Ada is unlikely to solve 
your problem.  But if you don't actually require confidentiality and just 
want to protect the user of your package from harming himself/herself, 
defining a private or limited private type and some put/get subprograms, 
as I did for solution 2, seems to be the way to go.


-- 
------ Stefan Lucks   --  Bauhaus-University Weimar  --   Germany  ------
               Stefan dot Lucks at uni minus weimar dot de
------  I  love  the  taste  of  Cryptanalysis  in  the  morning!  ------