Hi,

  Some comments on this topic: 

- LaFoSec is the second study funded by ANSSI (it was done by a consortium of experts, among which many security experts and one of the main developers of OCaml, so I would not take their recommendations lightly, personally), the first one is JavaSec (http://www.ssi.gouv.fr/fr/anssi/publications/publications-scientifiques/autres-publications/securite-et-langage-java.html), so there is indeed a comparison between OCaml, other functional languages, and imperative languages, showing that there are many more security  problems with Java than with OCaml.

- LaFoSec was started in 2010, which explains why it focuses on OCaml 3.12. 

- If some observations seem obvious (for smart people that you are ;-) ), a lot of them are much less obvious (the fact for example that you can discover a secrete key using polymorphic comparisons without breaking the type system). Also, they give an interesting set of arguments for pushing OCaml instead of other programming languages, so for me, they are really going in the good direction, it's a very good thing for the OCaml community.

- There is a document that was also written, but has not been published (it was described at the last JFLA'2013 seminar, also in French), providing a set of recommendations to improve OCaml for security applications. I don't know why it was not published with the other ones, maybe because it would become obsolete faster than the other ones.

--Fabrice

 


On Fri, May 24, 2013 at 7:45 PM, Pierre-Etienne Meunier <pierreetienne.meunier@gmail.com> wrote:
> Hahah :-)
>
> I would be happy to have an english version of this study...
> my language skills are very delimited and french is not
> in the small bag of languages I know.
>
> Possibly the crucial pages can be translated by some people?

Legally in France, you can also ask financial details about this kind of crap. I did it, we will see the result.

I can translate the most brilliant pages in english when I have some time, but I doubt you'll appreciate it as much as we, french taxpayers, far-from-tenured young french researchers ;-)

Cheers…
Pierre
--
Caml-list mailing list.  Subscription management and archives:
https://sympa.inria.fr/sympa/arc/caml-list
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
Bug reports: http://caml.inria.fr/bin/caml-bugs



--
Fabrice LE FESSANT
Chercheur en Informatique
INRIA Paris Rocquencourt -- OCamlPro
Programming Languages and Distributed Systems