Strongly typed Languages and Security. From Schneier on Security.
A Great comment I believe it’s worth sharing. Source http://www.schneier.com/blog/archives/2010/10/firesheep.html#c478900
I can’t agree more that the average quality of programmers (and therefore reusable components) is miserable. Code reuse can be very messy and anyone serious about quality is forced to reinvent the wheel over and over.
Of course I also agree that not all standards are good, as I don’t consider the web’s standards good.
However, there are fake high level languages and real high level languages. You cannot really build a complex system in a low level language, and even if you did, it would be full of abstractions, effectively making it a high level language via design patterns.
Look at PHP, it’s a horrible mess, a big ball of crap thrown together to make a “framework” to “ease” web development. The developers don’t have a clue what they’re doing and there are lots of new vulns in it every month at both the high and low levels. The builtin functions are completely inconsistent, some things return magic values and some things raise exceptions. PHP just takes random features from other languages and piles them together in an incoherent way. PHP is weakly typed (which is _always_ useless and causes more bugs). PHP is configurable, different libraries depend on different configurations of it. PHP has a garbage optional security model thing called safe-mode, which doesn’t work as it’s just more crap incoherently thrown together.
Now look at a real high level language, like Haskell, everything is immutable, which immediately mitigates one of the big class of bugs. Lazy evaluation means everything is more efficient most of the time (most problems are best solved lazily), but can be turned off when needed. The type system tells you all the information you’d ever want to know about the architecture of a given program, as well as catches _lots_ of bugs up front. Functions can easily be reasoned about due to type safety and immutability. This is a language that was actually thought out, unlike PHP.
Also, there are capability-secure languages/OSs, such as E (language), where security is orthogonal and forces the principle of least authority upon the entire architecture from the ground up. They have already been proven easy to use (obviously, much easier to use than any *nix crap because they have strong typing and aren’t C) and exponentially more secure. E is basically reifies one of the things computing is meant to have but doesn’t currently: you can run any code without caring if it’s evil or crappy. Sort of like the web but not completely flawed/unusable/insecure. The capability model also stop programs from dumping random garbage all over your OS, which is what happens on *nix and Windows.
Did I mention POLA is important? Why one would ever want to run random code off the internet with full privileges is beyond me. Java has an actual _half_ decent security/object model BTW, but it was ruined by pragmatism, and now everyone just signs their applets and the users can’t run them unless they modify their JVM or allow the code to run with full privileges.
Heck, even QNX is vastly superior to *nix just because they took a few old academic ideas into practice.
But what I really want to get down to is that strong typing is mandatory. (Strong typing in the data sense as well as language).
What I mean by strong typing in the data level is that you don’t take a bunch of random text and try to interpret it. You don’t take a bunch of machine words off the stack/heap and try to interpret them. Data must be organized mechanically, never trust the human.
Stack smashing happens because of lack of strong typing; array’s don’t really exist, you just get pointers to memory and are free to do anything with them, integers don’t exist either, you just have machine words. Actually nothing exists because C is just one crappy abstraction with a ton of undefined behavior. Strongly typed arrays cannot be violated, nor can ints etc. C is another example of this nonsense re-usability notion, to make it “fast”, _as well_ as portable, it has to have tons of undefined behavior. A secure system would have a high level language and the underlying low level components would be written in a way specialized to that architecture, in which case you can get performance as well as **no** undefined behavior.
XSS is because of lack of strong typing, you are just taking a bunch of text and blindly treating it as code or crap to inject into some text that is meant to be code. This is about as unreliable as it gets. Strongly typed declarative data structures prevent this.
SQL Injection? Ditto. But has been solved by A) ORMs that aren’t vulnerable B) Object databases (which are on par and sometimes better than RDBMS with respect to performance, BTW) C) HaskellDB ;)
HTTP injection? Well this doesn’t happen as much because one typically uses a safe API to build the HTTP request as opposed to editing it and parameterizing it by hand. This is analogous to using a safe API to manipulate a binary data structure (that is strongly typed). Hey? Binary is compact and efficient, then why do we have text protocols and formats? Oh yeah, someone thought it would be a good idea to have plaintext stuff because maybe we would be able to edit it by hand or something. BS. Do they expect us to edit 20MB XML documents by hand? You should be using a graph editor that provides a set of idiomatic transforms and queries (does this exist for XML? it should.). The only time you can edit _any_ plaintext document by hand is when it’s tiny, except this still doesn’t work because you don’t know what character set encoding to use… XML sucks, it’s not a cyclic graph so you have to retype things instead of just putting a reference to them, or invent an ad-hoc way of doing this for your schema. This is clearly propagated by the “simple” design of plaintext XML, if it were binary, they probably would have just made a real cyclic graph. This stuff also reminds me of another major issue with *nix, everything is a file (which is nonsense, everything should be an object, or maybe there is something better? I dunno, but objects are already superior to files in every way. Want streams? read: lazy evaluation), which for some reason, means everything is text with an arbitrary grammar, so you have to write a ton of regular expressions to get anything done in *nix. Ooh and you have magic numbers as return values from programs. Except these both break all the time as new versions of the programs come out. And they are a bitch to fix because they aren’t objects; you have to rewrite the parsers (text) instead of using the new fields (objects). Even the input to any *nix program is braindead and violates strong typing principles so they can’t be used without causing new vulnerabilities. Even if you escape the input to make it safe for bash or whatever shell you are using, the data within that parameter might still need to be further escaped because it’s passed as an SQL string or some other weakly typed system. I don’t know why “command line” mantra even exists anymore (now that we don’t use ancient terminal things anymore, well some people do, but not me at least), every program that has an interactive bash shell thing is different and crappy and has no multiline input and a lot of them overwrite your input as you’re typing it with output. Command line apps shouldn’t exist, there should just be objects that you invoke methods on with a _real_ (bash isn’t a real language) statically strongly typed language and get back some other objects. Static typing allows *rich* auto-completion for free. The shell can infer the variables in the local namespace that match the input parameter you are on, and then suggest them all. And the shell should actually be a decent thing, not a stupid pair of I/O streams. *nix terminal things suck **hard**. If you copy and paste some text from a web page, it might contain malicious code followed by a newline (a page can make you copy something other than what is displayed and highlighted on it), and you get owned. Oooh, oooh, X11 is also broken, it doesn’t let non-you users display to a constricted area on it, so you have to run random crap programs off the internet as you, and they get to steal all your non-root stuff (the stuff that *actually* matters). But they get root by ptracing your bash shell and escalating to root the next time you sudo or su. The Qubes OS tries to fix some of this stuff, but fails miserably, because it’s not even as good as or better than the Object Capability Model, which was invented decades ago, but I guess this is because they want compatibility with current software, which means they have to diminish security. Maybe they would be better off joining Tunes.
Computing sucks hard for many other reasons, but I’m getting tired of writing for now and am hungry.
What does this all have to do with firesheep? Dunno, but it’s not surprising what firesheep can do, and it’s about time someone is stepping up and trying to expose more loudly one of the many critical flaws that have been being used for malicious purposes for the past decades. I predict the next movement is for someone to write a nice metamorphic virus and take over hundreds of millions of boxes on the internet and all those crappy embedded devices. (It’s not that hard to pull off.)
Anyone interested in creating a secure computing paradigm and ditch all this other nonsense? Call me.

Mathaba.net