Archive for March 20, 2014

Thursday, March 20, 2014

Introducing the Hack Programming Language


Hack is a programming language for HHVM that interoperates seamlessly with PHP. Hack reconciles the fast development cycle of PHP with the discipline provided by static typing, while adding many features commonly found in other modern programming languages.

Hack provides instantaneous type checking via a local server that watches the filesystem. It typically runs in less than 200 milliseconds, making it easy to integrate into your development workflow without introducing a noticeable delay.

Julien Verlaguet and Alok Menghrajani:

Our principal addition is static typing. We have developed a system to annotate function signatures and class members with type information; our type checking algorithm (the “type checker”) infers the rest. Type checking is incremental, such that even within a single file some code can be converted to Hack while the rest remains dynamically typed. Technically speaking, Hack is a “gradually typed” language: dynamically typed code interoperates seamlessly with statically typed code.

Within Hack’s type system, we have introduced several features such as generics, nullable types, type aliasing, and constraints on type parameters. These new language features are unobtrusive, so the code you write with Hack will still look and feel like the dynamic language to which PHP programmers are accustomed.

Update (2014-03-26): Marco Arment:

You’re effectively writing in a new language, albeit with a much smaller learning curve than other language switches since you already know most of the syntax and API. But because Hack isn’t PHP, some of PHP’s biggest advantages — ubiquity, maturity, stability — don’t apply.

There are also some comments on Lambda.

Update (2014-04-01): Marco Arment:

What’s needed is a simple compiler that strips Hack’s type annotations out, leaving valid PHP behind. Obviously, this would only work on the additions in Hack that are easily stripped out or compiled to PHP, but even if it’s just the type annotations, that’s still extremely beneficial and in-demand among PHP coders.

Attacking the Random Number Generator, Not the Algorithm

Matthew Green:

What this means is that an attacker who can predict the output of your RNG—perhaps by taking advantage of a bug, or even compromising it at a design level—can often completely decrypt your communications. The Debian project learned this firsthand, as have many others. This certainly hasn’t escaped NSA’s notice, if the allegations regarding its Dual EC random number generator are true.


Unfortunately, so far all I’ve done is call out the challenges with building trustworthy RNGs. And there’s a reason for this: the challenges are easy to identify, while the solutions themselves are hard. And unfortunately at this time, they’re quite manual.


Solving this problem, at least in software, so we can ensure that code is correct and does not contain hidden ‘easter eggs’, represents one of the more significant research challenges facing those of us who depend on secure cryptographic primitives.