Post AafRO86FdUYsaE4Y2y by muvlon@hachyderm.io
 (DIR) More posts by muvlon@hachyderm.io
 (DIR) Post #AafRO7KOVQHSBngKS8 by lcamtuf@infosec.exchange
       2023-10-11T17:00:17Z
       
       0 likes, 0 repeats
       
       I don't like the saying that it's impossible to consistently write secure C/C++ code. I mean, yes - but it's impossible to do that in *any* popular language today.The use of C/C++ is notable for leading to memory safety bugs. Not out of necessity, but out of *possibility*: the access to low-level primitives, coupled with deficient libraries, will have you doing freestyle pointer arithmetics and stashing away pointers inside data structures "for later" in no time. You *could* stay away from that, but you won't.The solution is to take most of this functionality away. You could do it in C/C++, but there's not enough standards buy-in and not enough third-party infrastructure to pull it off with ease. Might as well start over from scratch.OTOH, it's too easy to get hung up on memory safety specifically. Relatively few breaches happen due to memory safety bugs, in part thanks to the inexpensive mitigations we came up with throughout the years. Deserialization issues in popular memory-safe languages - Java, Python, JavaScript, etc - likely cause more harm. A browser written in Java would have fewer CVEs, but more trivially-exploitable ones.For a long time, it felt like this is how it must be. You could design a "security first" programming language, but it'd be destined to fail: you'd be inconveniencing developers while offering little in return. But now, Rust appears to defy this wisdom, with quite a lot of adoption in the hobby community despite the weirdness and complexity it introduces here and there.Even if the momentum fizzles out for Rust, it's going to be an interesting blueprint for future attempts.
       
 (DIR) Post #AafRO86FdUYsaE4Y2y by muvlon@hachyderm.io
       2023-10-11T17:11:27Z
       
       0 likes, 0 repeats
       
       @lcamtuf Here's my take as to why this is working now:Rust comes with a ton of extra complexity compared to C, which does increase friction. However, by taking advantage of modern advances in tooling, it greatly reduces friction in other areas, allowing the overall experience to still be *tolerable* for most people.Consider all the mucking about with headers, build systems and distro package managers in C vs. just having Cargo and a module system in Rust.
       
 (DIR) Post #AafRO8soivPT0qnKkK by lcamtuf@infosec.exchange
       2023-10-11T17:20:00Z
       
       1 likes, 0 repeats
       
       @muvlon Having dealt with the security woes of JavaScript & Python package management in enterprise settings, I have mixed feelings about such stuff, but that's another story...