[erlang-questions] Cryptography bugs

[Richard O'Keefe]

We had a thread just recently about people (ab)using Erlang's simple
random number generator.  If non-obvious but easily exploitable
security flaws amuse you, you may enjoy

http://gregorkopf.de/slides_berlinsides_2010.pdf

which explains two bugs, one in Typo3 and one in Joomla.

Me, I found this scary.  I thought I was good at debugging, and PHP
is similar enough to Perl that I should have been able to read the
examples, but while I probably would have been wary enough to avoid
making these mistakes in the first place, there's no way I would have
been smart enough to see them.

How do we write programs so that this kind of mistake is harder to
make / easier to find?  I don't think the programming language makes
_much_ difference except to the degree that it lets you annotate values
that are critical to security and track them somehow (like the way
SPlint lets you track annotations in C).

Perhaps having a list of things to look for in an inspection?
From that paper,

    Typo3.  What went wrong?
	* Shortening a MAC value without proper reasons
	  We have enough bandwidth to submit full hash values ;)
	* Using a not-typesafe comparison operator
    	* Further: forgetting about null bytes
    Joomla:
	* Using a weak PRNG 32 bit seed
	* No entropy accumulator
	* Frequently reseeding the PRNG
	* Using CRC32 for cryptographic purposes

From Erlang:
	* Using anything other than a proper cryptographic PRNG

Anyone who knows this stuff want to extend it so we can ask for it
to be added to the Erlang documentation?