[pdpi]

For the sake of moving things forward: every time we have this discussion, someone always points out that functional languages would make it easier to get correct behaviour from a crypto library, and someone always replies that garbage collection opens you up to side-channel (timing, in this case) attacks.

[hoggle]

Interesting, I didn't know that. I always wondered why (non "functional") Ada doesn't get mentioned more often in these kinds of discussions:

http://www.adaic.org/advantages/

http://www.seas.gwu.edu/~mfeldman/ada-project-summary.html

[pgeorgi]

And it's "cousin" SPARK, which adds proof capabilities: http://git.codelabs.ch/?p=spark-crypto.git

[e12e]

Last time it was brought up, there appeared to be some lingering confusion and issues with how the compiler and runtime was and is licensed.

The latest version of Ada is available for a (large) fee from Adacore and for free under the GPL. There is also a version published as part of gcc, that trails the upstream version a little in terms of features -- but like the rest of gcc, the relevant parts are under LGPL, so not all binaries distributed to third parties need be distributed under the GPL, but can be under any licence one choose[1] -- without the need for a commercial licence from Adacore.

It would appear the lack of an up-to-date, gratis, version of Ada was a real problem for adoption at some point -- and the impression of Ada being difficult to get access to outside of large contractors put a damper on its popularity (justified or not).

[1] The "problem" with a compiler under GPL is that most compilers will have some kind of library code or language runtime that needs to be distributed with resulting binaries, thus forcing all projects to adopt GPL, rather than just the projects that build directly on the compiler.

[pjmlp]

More than price, what really hindered Ada was lack of adoption by popular OS vendors and hardware requirements for the early compilers.

Back in the day everyone was paying for compilers, the prices were the normal ones for the target audience.

Rational Software first product was an advanced Ada Machine, providing an early 80's InteliJ experience. Which followed the same fate as all special purpose computers.

UNIX, mainframe and other enterprise OS vendors that eventually provided an Ada compiler, treated it as second class citizen in regard to their main systems programming language.

Home computers lacked the required hardware to implement a proprer Ada compiler.

A systems programming language really needs to be "the language" an OS vendor SDK requires, otherwise it becomes just another application language that can also go low level.

Besides Ada Core, there are a few embedded and real time OS vendors providing Ada compilers.

[e12e]

> Home computers lacked the required hardware to implement a proprer Ada compiler.

Could you elaborate? Are you thinking 80s home computers like the Amiga 1000, or more classical PCs?

[pjmlp]

Both, from the Spectrum days up to the time we could get them to run on 32 bits.

On those days I and many older than me were still writing business applications in Assembly. Compilers for higher level languages were constrained in what they could achieve in the amount of memory that was available.

And Ada did required lots of it. Funny enough I would bet modern Ada compilers are less resource intensive than C++ ones.

[colanderman]

I know nothing about crypto, but I know a bit about languages. I don't really get this.

Say you're coding in a language with no garbage collection like C. If your code is not "symmetric" (more below), you still have timing attacks due to cache usage patterns, correct? After all, C hasn't been a very good model of any CPU designed since 1985.

Coming from the outside, I would think the way to tackle this would be to simple ensure your code is "symmetric"; that every legal code path through an algorithm perform the same operations, regardless of what data it is presented with, even if this means operating on fake data. That way the timing of any operation is always identical (barring uncorrelated noise).

It seems to me that this technique would apply equally to languages with and without garbage collection. Why is this not so?

[chriswarbo]

Interesting. Maybe an area where linear types can shine?

Rust is probably the most trendy language offering linear types at the moment, although I'd say it much closer to being "a safer C" than "a linear OCaml", so it wouldn't really make things more functional (although it would be safer!).

ATS is descended from DependentML, but for some reason most ATS code I've seen is written in a "safer C" style too. Maybe that's just pragmatism, since ATS has very few native libraries, so it's usually easier to call out to C.

Linear Lisp might be a nice choice, but its dynamic typing may be a problem for security-critical code.

[steveklabnik]

Fun bit of trivia: Rust was originally implemented _in_ OCaml, and takes a lot of cues from it.

[klibertp]

I saw a bit of OCaml code in Rust code-base recently, can you say what it's used for? I know that Rust is self-hosting now, but I swear I saw some .ml files there...

[dbaupp]

  ~/rust $ find -name '*.ml' | wc -l
  72
  ~/rust $ find -name '*.ml' | grep -v ./src/llvm | wc -l
  0

i.e. there are some OCaml files in a Rust checkout, but they're all part of LLVM, mostly part of the "OCaml Kaleidoscope": http://llvm.org/docs/tutorial/OCamlLangImpl1.html

[lomnakkus]

Isn't even C pretty vulnerable to timing attacks? (I'm thinking primarily through things like L1/L2 cache effects, etc.)

[edwintorok]

The actual crypto primitives are still implemented in C, do those timing attack apply to the high-level part implemented in OCaml too?

[pqwy]

That is exactly the question we have. And yes, the primitives are in C largely due to timing concerns.