Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Sep 2024 08:52:17 +0100
From:      David Chisnall <theraven@freebsd.org>
To:        Alan Somers <asomers@freebsd.org>
Cc:        Chris <bsd-lists@bsdforge.com>, Warner Losh <imp@bsdimp.com>, FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject:   Re: The Case for Rust (in any system)
Message-ID:  <A9A99648-EA30-4C63-A88B-3E9CC7CCFF35@freebsd.org>
In-Reply-To: <CAOtMX2g_om8mW-xB855LNOHa8C0T5X0WtgMPc0TTr6TwiMEicw@mail.gmail.com>
References:  <CAOtMX2g_om8mW-xB855LNOHa8C0T5X0WtgMPc0TTr6TwiMEicw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 12 Sep 2024, at 00:14, Alan Somers <asomers@freebsd.org> wrote:
>=20
> "Memory safety =3D=3D restrictive training wheels" is just a common
> misconception.

It=E2=80=99s worth thinking about why programming languages exist. Any moder=
n language is Turing complete. In terms of what can be expressed, there is n=
o difference between Rust, C, and C++. The important thing is that there is a=
n infinite set of possible programs and a finite set of desirable programs. T=
he goal of a programming language is to make it easier to express programs i=
n the set of desirable programs than ones that are not in that set. Sometime=
s this is skewed away from specific sets.

The reason that we care so much about memory-safety bugs is that they allow a=
n attacker to step completely outside of the abstract machine of the program=
. Unless you embed an interpreter/ compiler in your program, memory-safety b=
ugs are about the only way that an attacker can get arbitrary code execution=
 in your program. The kind of bug where an attacker provides a specially cra=
fted file / blob of network data and then runs code on your machine is typic=
ally the worst thing that can happen.

Rust, in particular, skews towards making programs with memory-safety bugs m=
uch harder to represent. You can still do it, by using unsafe or relying on u=
nsoundness in the type system as cve-rs does, but you have to try hard.

I consider that a desirable property in a language. I don=E2=80=99t have to t=
hink about whether I=E2=80=99ve made these bugs impossible (and, remember, W=
annaCry cost billions of dollars and depended on a single memory-safety bug)=
, I get that for free and I can focus on other things.

David

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A9A99648-EA30-4C63-A88B-3E9CC7CCFF35>