From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) by sympa.inria.fr (Postfix) with ESMTPS id 8B2847EE51 for ; Mon, 27 May 2013 10:55:36 +0200 (CEST) Received-SPF: None (mail3-smtp-sop.national.inria.fr: no sender authenticity information available from domain of fabrissimo@gmail.com) identity=pra; client-ip=209.85.128.173; receiver=mail3-smtp-sop.national.inria.fr; envelope-from="fabrissimo@gmail.com"; x-sender="fabrissimo@gmail.com"; x-conformance=sidf_compatible Received-SPF: Pass (mail3-smtp-sop.national.inria.fr: domain of fabrissimo@gmail.com designates 209.85.128.173 as permitted sender) identity=mailfrom; client-ip=209.85.128.173; receiver=mail3-smtp-sop.national.inria.fr; envelope-from="fabrissimo@gmail.com"; x-sender="fabrissimo@gmail.com"; x-conformance=sidf_compatible; x-record-type="v=spf1" Received-SPF: None (mail3-smtp-sop.national.inria.fr: no sender authenticity information available from domain of postmaster@mail-ve0-f173.google.com) identity=helo; client-ip=209.85.128.173; receiver=mail3-smtp-sop.national.inria.fr; envelope-from="fabrissimo@gmail.com"; x-sender="postmaster@mail-ve0-f173.google.com"; x-conformance=sidf_compatible X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AogCAFUeo1HRVYCtm2dsb2JhbABagzivYolniDx9CBYOAQEBAQEGCwsJFCiCIwEBBAFAASoDCwEDAQsBBQULGiEhARIBBQEKEgYTEgKHZwMJBgyff488hDcnAwqIZAEFDIw6glODXwOVVYFmgSmKdIM+FimBXYJaOg X-IPAS-Result: AogCAFUeo1HRVYCtm2dsb2JhbABagzivYolniDx9CBYOAQEBAQEGCwsJFCiCIwEBBAFAASoDCwEDAQsBBQULGiEhARIBBQEKEgYTEgKHZwMJBgyff488hDcnAwqIZAEFDIw6glODXwOVVYFmgSmKdIM+FimBXYJaOg X-IronPort-AV: E=Sophos;i="4.87,749,1363129200"; d="scan'208";a="15783741" Received: from mail-ve0-f173.google.com ([209.85.128.173]) by mail3-smtp-sop.national.inria.fr with ESMTP/TLS/RC4-SHA; 27 May 2013 10:55:35 +0200 Received: by mail-ve0-f173.google.com with SMTP id cy12so4880812veb.4 for ; Mon, 27 May 2013 01:55:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=xxqJVbZVY/jw0ZTLqh0x6hI6oK2fGzFEnXFKxXpY3qs=; b=AjHXTg8oVjPLEWT3sQ/Pkf/MkX5MjUXiAV1mgxVnSC2p40yRuMTWXRvrLP4IkFpRei XzKfZEY+5rLhNgYAZDfIdDBFu9X6xmRYjeZ3cQcvMIcwXgfWfxH8NBWUwWpNJhw+EQsO Y8qRYsu0VEgStNTyFCrnqm1QB6mw/WpSePUXrvhdn2q1/Fb7k/kMHzcG+yrA+8sazmMG 1FIhEjlGg8ohLvXeb74Qi0qr7IPrv+4LeOG5GGf75GZ/DIoTpkAa0nOit19crWSB5M1b MWfsKwU0V2iw043Jeh/tZ5fIJqNyKtC81ty/VlrYi85RDMujSkDeRbHqae6EHK67KygJ Fwlg== MIME-Version: 1.0 X-Received: by 10.52.94.204 with SMTP id de12mr3686435vdb.47.1369644934896; Mon, 27 May 2013 01:55:34 -0700 (PDT) Sender: fabrissimo@gmail.com Received: by 10.220.83.67 with HTTP; Mon, 27 May 2013 01:55:34 -0700 (PDT) In-Reply-To: <256988DB-E173-477E-ABBA-D590E3E08F42@gmail.com> References: <519F1CF6.7050007@riken.jp> <20130524143500.GE2007@siouxsie> <256988DB-E173-477E-ABBA-D590E3E08F42@gmail.com> Date: Mon, 27 May 2013 10:55:34 +0200 X-Google-Sender-Auth: BvsqLLTZWmrXIpL1I8cxlPnw5kw Message-ID: From: Fabrice Le Fessant To: Pierre-Etienne Meunier Cc: oliver , O Caml Content-Type: multipart/alternative; boundary=bcaec501651fd0228b04ddaf4f2d Subject: Re: [Caml-list] French study on security and functional languages --bcaec501651fd0228b04ddaf4f2d Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi, Some comments on this topic: - LaFoSec is the second study funded by ANSSI (it was done by a consortium of experts, among which many security experts and one of the main developers of OCaml, so I would not take their recommendations lightly, personally), the first one is JavaSec ( http://www.ssi.gouv.fr/fr/anssi/publications/publications-scientifiques/aut= res-publications/securite-et-langage-java.html), so there is indeed a comparison between OCaml, other functional languages, and imperative languages, showing that there are many more security problems with Java than with OCaml. - LaFoSec was started in 2010, which explains why it focuses on OCaml 3.12. - If some observations seem obvious (for smart people that you are ;-) ), a lot of them are much less obvious (the fact for example that you can discover a secrete key using polymorphic comparisons without breaking the type system). Also, they give an interesting set of arguments for pushing OCaml instead of other programming languages, so for me, they are really going in the good direction, it's a very good thing for the OCaml community. - There is a document that was also written, but has not been published (it was described at the last JFLA'2013 seminar, also in French), providing a set of recommendations to improve OCaml for security applications. I don't know why it was not published with the other ones, maybe because it would become obsolete faster than the other ones. --Fabrice On Fri, May 24, 2013 at 7:45 PM, Pierre-Etienne Meunier < pierreetienne.meunier@gmail.com> wrote: > > Hahah :-) > > > > I would be happy to have an english version of this study... > > my language skills are very delimited and french is not > > in the small bag of languages I know. > > > > Possibly the crucial pages can be translated by some people? > > Legally in France, you can also ask financial details about this kind of > crap. I did it, we will see the result. > > I can translate the most brilliant pages in english when I have some time, > but I doubt you'll appreciate it as much as we, french taxpayers, > far-from-tenured young french researchers ;-) > > Cheers=85 > Pierre > -- > Caml-list mailing list. Subscription management and archives: > https://sympa.inria.fr/sympa/arc/caml-list > Beginner's list: http://groups.yahoo.com/group/ocaml_beginners > Bug reports: http://caml.inria.fr/bin/caml-bugs > --=20 Fabrice LE FESSANT Chercheur en Informatique INRIA Paris Rocquencourt -- OCamlPro Programming Languages and Distributed Systems --bcaec501651fd0228b04ddaf4f2d Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable
Hi,

=A0 Some comments on this top= ic:=A0

- LaFoSec is the second study f= unded by ANSSI (it was done by a consortium of experts, among which many se= curity experts and one of the main developers of OCaml, so I would not take= their recommendations lightly,=A0personally), the first one is JavaSec (http://www.ssi.gou= v.fr/fr/anssi/publications/publications-scientifiques/autres-publications/s= ecurite-et-langage-java.html), so there is indeed a comparison between = OCaml, other functional languages, and imperative languages, showing that t= here are many more security =A0problems with Java than with OCaml.

- LaFoSec was started in 2010, which explai= ns why it focuses on OCaml 3.12.=A0

- = If some observations seem obvious (for smart people that you are ;-) ), a l= ot of them are much less obvious (the fact for example that you can discove= r a secrete key using polymorphic comparisons without breaking the type sys= tem). Also, they give an interesting set of arguments for pushing OCaml ins= tead of other programming languages, so for me, they are really going in th= e good direction, it's a very good thing for the OCaml community.

- There is a document that was also written= , but has not been published (it was described at the last JFLA'2013 se= minar, also in French), providing a set of recommendations to improve OCaml= for security applications. I don't know why it was not published with = the other ones, maybe because it would become obsolete faster than the othe= r ones.

--Fabrice

= =A0


On Fri, May 24, 2013 at 7:45 PM, Pierre-Etienne Meunier <p= ierreetienne.meunier@gmail.com> wrote:
> Hahah :-)
>
> I would be happy to have an english version of this study...
> my language skills are very delimited and french is not
> in the small bag of languages I know.
>
> Possibly the crucial pages can be translated by some people?

Legally in France, you can also ask financial details about this kind= of crap. I did it, we will see the result.

I can translate the most brilliant pages in english when I have some time, = but I doubt you'll appreciate it as much as we, french taxpayers, far-f= rom-tenured young french researchers ;-)

Cheers=85
Pierre
--
Caml-list mailing list. =A0Subscription management and archives:
ht= tps://sympa.inria.fr/sympa/arc/caml-list
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
Bug reports: http://caml.inria.fr/bin/caml-bugs


--
Fabrice LE FESSANT
Chercheur en= Informatique
INRIA Paris Rocquencourt -- OCamlPro
Programming Languages and Distribut= ed Systems
--bcaec501651fd0228b04ddaf4f2d--