Replied in thread
Recent searches
Search options
#memorysafety
0 posts0 participants0 posts today
Continued thread
"Unsafe is the stupidest language feature (on a technical level)", Nadri says. It's just an arbitrary constraint to call code with the unsafe keyword, with only the unsafe keyword. Therefore, it's mostly a social that "works super well".
I have lost count of the number of people at Embedded World who have asked me ’what is memory safety?'
If anyone is wondering how embedded security is going...
My #computing is far too important for me to be pacified by mere #MemorySafety. I demand actual #correctness.
Had a bunch of thoughts about the recent safety stuff, way more than fit in social media post... Blog post story time! (It's a bit of a ramble, sorry about that...)
https://chandlerc.blog/posts/2024/11/story-time-bounds-checking/
chandlerc.blog · Story-time: C++, bounds checking, performance, and compilersRecently, several of my colleagues at Google shared the story of how we are
retrofitting spatial safety onto our monolithic C++ codebase:
https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
I wanted to have a bit of story-time about some of the strange ways that all
this came to be, at least as I remember things. There are some really
interesting developments that led us here, and some important lessons to learn
from that history.
Do note that this is just my retrospective memory. It’s entirely possible I’m
misremembering some of it (let me know if so!). It’s also limited to my
perspective, and others may have seen very different aspects of things (please
share!).
Replied in thread
Continued thread
[2/2] It is essentially two documents, a discussion of memory safety technologies and then specific CISA recommendations. Also included is a new chart providing the granular root-cause-analysis (RCA) for memory safety issues reported to Microsoft and a great appendix for those wanting more.
I would like to thank everyone who put work in on this. Of the many people who briefed us please reveal yourselves if you wish to be identified.
The TAC: Jeff Moss @thedarktangent Subcommittee Chair, DEF CON Communications. Dino Dai Zovi, CashApp. Luiz Eduardo @effffn, Aruba Threat Labs. Royal Hansen, Google. Isiah Jones, Applied Integrated Technologies. Kurt Opsahl @Kurt, Electronic Frontier Foundation. Stephen Schmidt, Amazon. Yan Shoshitaishvili, Arizona State University. Kevin Tierney, General Motors. Rachel Tobac @racheltobac, SocialProof Security. David Weston @dwizzzle, Microsoft.
From CISA: Eric Goldstein and Bob Lord @boblord
[1/2] Almost six months ago the Director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, directed the Technical Advisory Council (TAC) of the Cybersecurity Advisory Council (CSAC) to answer six questions around Memory Safety to help the department understand the challenges and opportunities of Memory Safe Systems Languages such as Rust, Go, and Swift.
DL/DR: Memory Safe Systems Languages are becoming mature, hyper-scale companies are doing incremental rewrites, there are additional protections that should be used in non-memory safe languages such as c++, and you should start to develop your roadmap. Please read the report. 
Since the TAC started working, Memory Safety has become a hot topic, with the NSA joining CISA to release "The Case for Memory Safe Roadmaps"
Last week the TAC submitted our final report at the quarterly public meeting and I'm pleased to link it here:
https://www.cisa.gov/sites/default/files/2023-12/CSAC_TAC_Recommendations-Memory-Safety_Final_20231205_508.pdf
I checked her out, it was a Friday night
I used dark mode to get the feelin’ right
We started coding C, and shared some memory
But then I tried concurrent reads
And that’s about the time she threw a fault at me
Nobody likes you when your memory’s free
and are still pointing to that address space
What the hell is SIGSEGV?
My friends say I should memory safe
What’s my page again?
What’s my page again?
Came across a gemini link, looked for a Linux client out of curiosity.
Three graphical clients are listed for Linux: one written in Rust, one in C++ and one in C.
Which one does my Linux distribution offer? Only the one written in C of course. 
new post: the SUX Rule for safer code https://kellyshortridge.com/blog/posts/the-sux-rule-for-safer-code/
it’s short for Sandbox-free - Unsafe - eXogenous. If your code does all three of:
- running without a sandbox
- written in an unsafe language
- processing exogenous inputs
it’s certain your code SUX.
it’s basically me tweaking Chromium’s excellent Rule of Two because it conflicts with Star Wars lore (among other reasons I describe)
Aleph One's article "Smashing The Stack For Fun And Profit" appeared in Phrack on 1996-11-08. The 30th anniversary of that paper will be in 1142 days.
What can we do between now and then to show him that we're finally taking the matter seriously? #memorySafety #secureByDesign
Two core Unix-like utilities, sudo and su, are getting rewrites in Rust - Invoking another user's privileges to execute a command. (credit: Cavan Ima... - https://arstechnica.com/?p=1935564 #rustprogramminglanguage #memorysafety #commandline #programming #biz #linux #tech #rust #sudo #unix #su
Ars TechnicaTwo core Unix-like utilities, sudo and su, are getting rewrites in RustAWS-backed group believes command is too central to the web to keep as-is.