Florian Gilcher @skade giving a thought provoking talk on "Correctness at large, correctness in motion" at Rust In Paris.
Frühere Suchanfragen
Suchoptionen
#memorysafety
2 Beiträge2 Beteiligte0 Beiträge heute
I have lost count of the number of people at Embedded World who have asked me ’what is memory safety?'
If anyone is wondering how embedded security is going...
is #Fortran memory safe?
I don't think I have ever heard of a CVE in Fortran code.
While #Cplusplus is one of the most popular #programming languages out there, it is shunned by #cybersecurity companies and tech experts because of "serious attacks", and its developer has called for help. https://mindsconnected.tech/index.php?showtopic=1030&view=getnewpost #security #memorysafety #software #coding #vulnerability #tech
mindsconnected.techmindsConnected -> C++ creator calls for help to address "serious attacks"The next-generation tech forum, from Windows to Linux, to electronics of all kinds
#RemiPommarel found and fixed a bug/regression in a recent change someone had added to @batadv in the #Linux #kernel. One take home message from Remi:
"On a side note, I am all about #hardening and #MemorySafety stuff but if that means impacting readability and spending more time trying to please the tool than thinking about the #correctness of the code change, that's where we end up converting a perfectly fine #code into a logically flawed one."
(hash tags added by me)
patchwork.open-mesh.orgbatman-adv: Fix incorrect offset in batadv_tt_tvlv_ogm_handler_v1() - Patchwork
Google just took a big step forward in C++ safety. By retrofitting spatial memory safety onto their C++ code, they've improved security across services like Gmail & YouTube with minimal performance impact. David Cassel dives in more in his article.
https://thenewstack.io/google-retrofits-spatial-memory-safety-onto-c/
The New Stack · Google 'Retrofits' Spatial Memory Safety Onto C++Google researchers showed they were able to "retrofit" spatial safety onto their C++ codebases, and to do it with a surprisingly low impact on performance.
Rust Your Engines #5
January 14, 2025, 6:00:00 PM CET - GMT+1 - Fakultät für Wirtschaftsinformatik und Wirtschaftsmathematik, 68159, Mannheim, Deutschlandhttps://rheinneckar.events/events/053a956d-88f3-4b85-85b6-f1c56c989cb9
rheinneckar.eventsRust Your Engines #5Jan 14, 2025, 6:00:00 PM - GMT+1 - Fakultät für Wirtschaftsinformatik und Wirtschaftsmathematik, 68159, Mannheim, Deutschland - Rust Your Engines is a meetup for people in the Rhine-Neckar region that are interested in the Rust programming language. The meetup begins with talks related to Rust, and ends with casual networking a…
Google is redefining memory safety for C++. Their recent move to add spatial memory safety checks in production services like Gmail and YouTube led to a massive drop in bugs and crashes. Read David Cassel's full article now.
https://thenewstack.io/google-retrofits-spatial-memory-safety-onto-c/
The New Stack · Google 'Retrofits' Spatial Memory Safety Onto C++Google researchers showed they were able to "retrofit" spatial safety onto their C++ codebases, and to do it with a surprisingly low impact on performance.
Fortgeführter Thread
the memory safety fixes link to their Bugzilla which just comes up blank. 
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1880582%2C1929911
what the hell does that mean? are they private reports?
bugzilla.mozilla.orgBug List
Had a bunch of thoughts about the recent safety stuff, way more than fit in social media post... Blog post story time! (It's a bit of a ramble, sorry about that...)
https://chandlerc.blog/posts/2024/11/story-time-bounds-checking/
chandlerc.blog · Story-time: C++, bounds checking, performance, and compilersRecently, several of my colleagues at Google shared the story of how we are
retrofitting spatial safety onto our monolithic C++ codebase:
https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
I wanted to have a bit of story-time about some of the strange ways that all
this came to be, at least as I remember things. There are some really
interesting developments that led us here, and some important lessons to learn
from that history.
Do note that this is just my retrospective memory. It’s entirely possible I’m
misremembering some of it (let me know if so!). It’s also limited to my
perspective, and others may have seen very different aspects of things (please
share!).
Dive into today’s #eurorust24 talk with @amanda as she unpacks Rust’s Polonius project 
She breaks down how it improves the borrow checker and lifetimes, allowing you to write more correct code in safe Rust, making Rust even better for your projects. Essential watching for anyone curious about Rust's borrow checker evolution.
Watch here 
https://youtu.be/uCN_LRcswts
The temperature is rising on using programming languages that are not memory safe #memorysafety #memorysafe https://thenewstack.io/feds-critical-software-must-drop-c-c-by-2026-or-face-risk/
The New Stack · Feds: Critical Software Must Drop C/C++ by 2026 or Face RiskThis is the government's strongest stance yet on software security, which puts manufacturers on notice: fix dangerous coding practices or risk being labeled as negligent.
Using memory unsafe languages for new projects "is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety." — U.S. Cybersecurity and Infrastructure Security Agency
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
Cybersecurity and Infrastructure Security Agency CISAProduct Security Bad Practices | CISAThis voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs).
Rustls Outperforms OpenSSL and BoringSSL
Rustls is a memory safe TLS implementation with a focus on performance. It is production ready and used in a wide range of applications.
https://www.memorysafety.org/blog/rustls-performance-outperforms/
www.memorysafety.org · Rustls Outperforms OpenSSL and BoringSSLISRG has been investing heavily in the Rustls TLS library over the past few years. Our goal is to create a library that is both memory safe and a leader in performance.
Back in January of this year we published a post about the start of our performance journey. We've come a long way since then and we're excited to share an update on Rustls performance today.
What is Rustls? Rustls is a memory safe TLS implementation with a focus on performance.
Antwortete im Thread
@dmnk and I wrote about how to incrementally adopt rust in existing firmware/bare-metal code bases.
https://security.googleblog.com/2024/09/deploying-rust-in-existing-firmware.html
Google Online Security BlogDeploying Rust in Existing Firmware CodebasesPosted by Ivan Lozano and Dominik Maier, Android Team Android's use of safe-by-design principles drives our adoption of memory-safe languag...
C++ Must Become Safer — Andrew Lilley Brinker — Software Supply Chain Security
「 If a cheap-to-maintain legacy system is faced with the proposition of an expensive rewrite, it may instead be eliminated. The externalities of this kind of change are difficult to consider in advance and in general 」
https://www.alilleybrinker.com/blog/cpp-must-become-safer/
www.alilleybrinker.comOpen Source Software and Corporate Influence — Andrew Lilley BrinkerOpen source software projects are frequently enmeshed with the interests of
corporations. We should update mental models of who works on open source
accordingly, and build or modify power structures to be more resilient to
corporate capture.
It's quite ridiculous that standard C still does not have vasprintf() / asprintf() after Linux and all the BSDs (and macOS) have this since basically forever (but not Windows of course), and wrong use of the non-allocating versions is a quite common cause of security bugs.
Does someone know what happened with TR 24731-2, which would add them? It looks like there has been no progress at all since 2009 while theoretically the addition of these two functions seems like a no-brainer.
Is the conclusion simply that nobody actually needs it anymore because everybody already has their own implementation of it anyway, doesn't target Windows or niche platforms, or uses a safer language?
This is a long read, don't click the link before you have your coffee/tea/mountain dew code red/beverage of choice ready!
In this blogpost, I try to explain why we at @sovtechfund are investing in #MemorySafety and reflect a bit on the awe inspiring work of critical infrastructure maintainer partners, as well as where we are at the moment and the long way ahead.
https://www.sovereigntechfund.de/news/on-rust-memory-safety-open-source-infrastructure/
Sovereign Tech FundOn Rust, Memory Safety, and Open Source Infrastructure | Sovereign…
Addressing #memorysafety in critical infrastructure is a complex issue with multiple approaches. The Sovereign Tech Fund supports several initiatives, and technologist @tarakiyee reflects on the long road ahead in a blog post “On Rust, Memory Safety, and Open Source Infrastructure”
https://www.sovereigntechfund.de/news/on-rust-memory-safety-open-source-infrastructure/
Sovereign Tech FundOn Rust, Memory Safety, and Open Source Infrastructure | Sovereign…