Date: Tue, 23 Jan 2024 09:30:04 +0000 From: David Chisnall <theraven@FreeBSD.org> To: "Robert R. Russell" <robert@rrbrussell.com> Cc: freebsd-hackers@freebsd.org Subject: Re: The Case for Rust (in the base system) Message-ID: <FE03DCC4-7F80-4258-B371-EA3FCD14AF9B@FreeBSD.org> In-Reply-To: <20240122165452.13733a66@venus.private.rrbrussell.com> References: <CAOtMX2hAUiWdGPtpaCJLPZB%2Bj2yzNw5DSjUmkwTi%2B%2BmyemehCA@mail.gmail.com> <1673801705774097@mail.yandex.ru> <CANCZdfpqWgvV_RCvVO_pvTrmajQFspW%2BQ9TM_Ok3JrXZAfeAfA@mail.gmail.com> <ef4ad207-5899-42b6-8728-bc46f1417e9e@antonovs.family> <202401210751.40L7pWEF011188@critter.freebsd.dk> <40bc1694-ee00-431b-866e-396e9d5c07a2@m5p.com> <CAOtMX2hppfdu5ypDdGpfw_QDcd1rwJEeyVfSk9ogFEm7CiV6Kw@mail.gmail.com> <C5FC83ED-25BC-44AF-BD20-E0E5F5BC64FE@FreeBSD.org> <20240122165452.13733a66@venus.private.rrbrussell.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_AC930FBE-94A8-464C-80EC-C737039B679B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 22 Jan 2024, at 22:54, Robert R. Russell <robert@rrbrussell.com> = wrote: >=20 > If you had to estimate what is the cost of enforcing better C++ code? For CHERIoT RTOS, we use clang-tidy to run the static analyser. It=E2=80=99= s the longest CI job, by quite a large margin, but it=E2=80=99s a small = enough project that we haven=E2=80=99t felt the need to trim what it = runs on, so we run it on *every* file on every commit to a PR. =20 It=E2=80=99s also something that you need to do from the start. If you = run the clang analyser or Coverity on FreeBSD, you get a vast number of = false positives and so having a =E2=80=99no warnings=E2=80=99 policy is = impossible to enforce. I would recommend doing it on a = per-compilation-unit basis: - New files must have no new warnings. - Old files get opted in once they=E2=80=99re clean and must then have = no new warnings. - Anything that explicitly silences a false positive needs sign-off = from two committers in code review. At the very least, the last point will likely get the comment ratio up a = bit, since the code will need to actually be readable by other people to = make it into the tree. Even then, there=E2=80=99s likely to be a bit of churn when you update = to newer versions of the analysers. Making this work really just needs build system infrastructure to = generate a compile_commands.json (something that any build system that = isn=E2=80=99t Make can do. I know MaskRay has written some scripts to = try to generate one from bmake but I couldn=E2=80=99t get them to work) = and some work from the CI team. They=E2=80=99re currently understaffed = and under-resourced. =20 > I am not familiar with Lua and most of my experience with Lua like > languages have included dynamic code injection as an attack vector. Is > it feasible to protect Lua from that problem in the use case you > propose? Yes. Don=E2=80=99t call `eval` on untrusted input. David --Apple-Mail=_AC930FBE-94A8-464C-80EC-C737039B679B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;">On 22 Jan = 2024, at 22:54, Robert R. Russell <robert@rrbrussell.com> = wrote:<br><div><blockquote type=3D"cite"><br = class=3D"Apple-interchange-newline"><div><span style=3D"caret-color: = rgb(0, 0, 0); font-family: SourceCodePro-Regular; font-size: 12px; = font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none; float: none; = display: inline !important;">If you had to estimate what is the cost of = enforcing better C++ code?</span><br style=3D"caret-color: rgb(0, 0, 0); = font-family: SourceCodePro-Regular; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"></div></blockquote><div><br></div><div>For = CHERIoT RTOS, we use clang-tidy to run the static analyser. It=E2=80= =99s the longest CI job, by quite a large margin, but it=E2=80=99s a = small enough project that we haven=E2=80=99t felt the need to trim what = it runs on, so we run it on *every* file on every commit to a PR. = </div><div><br></div><div>It=E2=80=99s also something that you = need to do from the start. If you run the clang analyser or = Coverity on FreeBSD, you get a vast number of false positives and so = having a =E2=80=99no warnings=E2=80=99 policy is impossible to enforce. = I would recommend doing it on a per-compilation-unit = basis:</div><div><br></div><div> - New files must have no new = warnings.</div><div> - Old files get opted in once they=E2=80=99re = clean and must then have no new warnings.</div><div> - Anything = that explicitly silences a false positive needs sign-off from two = committers in code review.</div><div><br></div><div>At the very least, = the last point will likely get the comment ratio up a bit, since the = code will need to actually be readable by other people to make it into = the tree.</div><div><br></div><div>Even then, there=E2=80=99s likely to = be a bit of churn when you update to newer versions of the = analysers.</div><div><br></div><div>Making this work really just needs = build system infrastructure to generate a compile_commands.json = (something that any build system that isn=E2=80=99t Make can do. I know = MaskRay has written some scripts to try to generate one from bmake but I = couldn=E2=80=99t get them to work) and some work from the CI team. = They=E2=80=99re currently understaffed and under-resourced. = </div><div><br style=3D"caret-color: rgb(0, 0, 0); font-family: = SourceCodePro-Regular; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"></div><blockquote type=3D"cite"><div><span = style=3D"caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Regular; = font-size: 12px; font-style: normal; font-variant-caps: normal; = font-weight: 400; letter-spacing: normal; text-align: start; = text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none; float: none; display: inline !important;">I am not familiar with = Lua and most of my experience with Lua like</span><br = style=3D"caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Regular; = font-size: 12px; font-style: normal; font-variant-caps: normal; = font-weight: 400; letter-spacing: normal; text-align: start; = text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none;"><span style=3D"caret-color: rgb(0, 0, 0); font-family: = SourceCodePro-Regular; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none; float: none; display: inline = !important;">languages have included dynamic code injection as an attack = vector. Is</span><br style=3D"caret-color: rgb(0, 0, 0); font-family: = SourceCodePro-Regular; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"><span style=3D"caret-color: rgb(0, 0, 0); = font-family: SourceCodePro-Regular; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none; float: none; display: inline !important;">it = feasible to protect Lua from that problem in the use case you</span><br = style=3D"caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Regular; = font-size: 12px; font-style: normal; font-variant-caps: normal; = font-weight: 400; letter-spacing: normal; text-align: start; = text-indent: 0px; text-transform: none; white-space: normal; = word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: = none;"><span style=3D"caret-color: rgb(0, 0, 0); font-family: = SourceCodePro-Regular; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none; float: none; display: inline = !important;">propose?</span></div></blockquote></div><div><br></div>Yes. = Don=E2=80=99t call `eval` on untrusted = input.<br><div><br></div><div>David</div><div><br></div></body></html>= --Apple-Mail=_AC930FBE-94A8-464C-80EC-C737039B679B--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE03DCC4-7F80-4258-B371-EA3FCD14AF9B>