Florian Gilcher @skade giving a thought provoking talk on "Correctness at large, correctness in motion" at Rust In Paris.
Florian Gilcher @skade giving a thought provoking talk on "Correctness at large, correctness in motion" at Rust In Paris.
I have lost count of the number of people at Embedded World who have asked me ’what is memory safety?'
If anyone is wondering how embedded security is going...
is #Fortran memory safe?
I don't think I have ever heard of a CVE in Fortran code.
While #Cplusplus is one of the most popular #programming languages out there, it is shunned by #cybersecurity companies and tech experts because of "serious attacks", and its developer has called for help. https://mindsconnected.tech/index.php?showtopic=1030&view=getnewpost #security #memorysafety #software #coding #vulnerability #tech
#RemiPommarel found and fixed a bug/regression in a recent change someone had added to @batadv in the #Linux #kernel. One take home message from Remi:
"On a side note, I am all about #hardening and #MemorySafety stuff but if that means impacting readability and spending more time trying to please the tool than thinking about the #correctness of the code change, that's where we end up converting a perfectly fine #code into a logically flawed one."
(hash tags added by me)
Google just took a big step forward in C++ safety. By retrofitting spatial memory safety onto their C++ code, they've improved security across services like Gmail & YouTube with minimal performance impact. David Cassel dives in more in his article.
https://thenewstack.io/google-retrofits-spatial-memory-safety-onto-c/
Rust Your Engines #5
January 14, 2025, 6:00:00 PM CET - GMT+1 - Fakultät für Wirtschaftsinformatik und Wirtschaftsmathematik, 68159, Mannheim, Deutschlandhttps://rheinneckar.events/events/053a956d-88f3-4b85-85b6-f1c56c989cb9
Google is redefining memory safety for C++. Their recent move to add spatial memory safety checks in production services like Gmail and YouTube led to a massive drop in bugs and crashes. Read David Cassel's full article now.
https://thenewstack.io/google-retrofits-spatial-memory-safety-onto-c/
the memory safety fixes link to their Bugzilla which just comes up blank.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1880582%2C1929911
what the hell does that mean? are they private reports?
Had a bunch of thoughts about the recent safety stuff, way more than fit in social media post... Blog post story time! (It's a bit of a ramble, sorry about that...)
https://chandlerc.blog/posts/2024/11/story-time-bounds-checking/
Dive into today’s #eurorust24 talk with @amanda as she unpacks Rust’s Polonius project She breaks down how it improves the borrow checker and lifetimes, allowing you to write more correct code in safe Rust, making Rust even better for your projects. Essential watching for anyone curious about Rust's borrow checker evolution.
Watch here
https://youtu.be/uCN_LRcswts
The temperature is rising on using programming languages that are not memory safe #memorysafety #memorysafe https://thenewstack.io/feds-critical-software-must-drop-c-c-by-2026-or-face-risk/
Using memory unsafe languages for new projects "is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety." — U.S. Cybersecurity and Infrastructure Security Agency
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
Rustls Outperforms OpenSSL and BoringSSL
Rustls is a memory safe TLS implementation with a focus on performance. It is production ready and used in a wide range of applications.
https://www.memorysafety.org/blog/rustls-performance-outperforms/
@dmnk and I wrote about how to incrementally adopt rust in existing firmware/bare-metal code bases.
https://security.googleblog.com/2024/09/deploying-rust-in-existing-firmware.html
C++ Must Become Safer — Andrew Lilley Brinker — Software Supply Chain Security
「 If a cheap-to-maintain legacy system is faced with the proposition of an expensive rewrite, it may instead be eliminated. The externalities of this kind of change are difficult to consider in advance and in general 」
https://www.alilleybrinker.com/blog/cpp-must-become-safer/
It's quite ridiculous that standard C still does not have vasprintf() / asprintf() after Linux and all the BSDs (and macOS) have this since basically forever (but not Windows of course), and wrong use of the non-allocating versions is a quite common cause of security bugs.
Does someone know what happened with TR 24731-2, which would add them? It looks like there has been no progress at all since 2009 while theoretically the addition of these two functions seems like a no-brainer.
Is the conclusion simply that nobody actually needs it anymore because everybody already has their own implementation of it anyway, doesn't target Windows or niche platforms, or uses a safer language?
This is a long read, don't click the link before you have your coffee/tea/mountain dew code red/beverage of choice ready!
In this blogpost, I try to explain why we at @sovtechfund are investing in #MemorySafety and reflect a bit on the awe inspiring work of critical infrastructure maintainer partners, as well as where we are at the moment and the long way ahead.
https://www.sovereigntechfund.de/news/on-rust-memory-safety-open-source-infrastructure/
Addressing #memorysafety in critical infrastructure is a complex issue with multiple approaches. The Sovereign Tech Fund supports several initiatives, and technologist @tarakiyee reflects on the long road ahead in a blog post “On Rust, Memory Safety, and Open Source Infrastructure”
https://www.sovereigntechfund.de/news/on-rust-memory-safety-open-source-infrastructure/