To my way of thinking, there is an aspect of "security"
associated with language compilers. It is related to how faithful
the translation is to the original source code intent. There are
two aspects to this. First, does the resulting translation embody
the instructions of the original and only those instructions with nothing
extraneous added. One partial measure of this is the size of the
existing bug list.
Second, does the presence of syntactically or semantically incorrect
source result in a usable set of (perhaps) unintended instructions.
As I understand it, it was one of the reasons why that Ada language
designers (yup, I'm old enough to remember that effort) not only
specified what happened with correct source programs, but also what the
compiler should do on the various possible errors. Whenever a spec
has a statement like "the result of an error is left up to the
implementation", all bets are off as par as incorrect sources are
Just my $0.02.
At 04:06 PM 10/16/2009, you wrote:
xmlns:o = "urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
No, there's no such assessment
I'm not quite sure how one
would go about such an assessment. Saxon is not trying to protect or
prevent anything, so the risk of it failing to do so is nil. It's
basically a language compiler - I don't know what is meant by the
"security" of a compiler.
The only known security issue
with Saxon has been the problem that can arise if you allow untrusted
stylesheets to run in a sensitive environment: Code written in XSLT and
XQuery is code like any other, and if you don't trust code then you
shouldn't run it. Sounds too obvious to me to be classed as a
"vulnerability", but it's a mistake people have made, so it's
worth pointing out.
From: Brian Newman [mailto:firstname.lastname@example.org]
Sent: 16 October 2009 15:49
Subject: [saxon] Security
Im developing an XSL based solution for the US Navy whose data needs to be held secure.
Ive not been able to find any information on Saxonica regarding what its security vulnerabilities are (security vulnerabilities of the processor, not XSL in general). Basically, I need some sort of security profile info that I can hand to my boss so he can make a determination as to whether we can use Saxonica.
Is that information available somewhere?
Brian Newman CISSP
Network Security Systems Plus, Inc.
5205 Leesburg Pike, Suite 1502
Falls Church, Virginia 22041
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
saxon-help mailing list archived at http://saxon.markmail.org/