Memory Safety with Yael Grauer
Yael Grauer joined Bryan, Adam, Steve Klabnik, and the Oxide Friends to talk about her recent Consumer Reports article on memory safety and memory safe languages. How do we inform the general public? How do we persuade practitioners and companies? Thanks for joining us, Yael!
In addition to Bryan Cantrill and Adam Leventhal, we were joined by special guest Yael Grauer, and Steve Klabnik.
In addition to Bryan Cantrill and Adam Leventhal, we were joined by special guest Yael Grauer, and Steve Klabnik.
Some of the topics we hit on, in the order that we hit them (experiment in turning the show live-chat into notes):
- Nahum: https://www.backblaze.com/blog/the-3-2-1-backup-strategy/ if anyone wants to read up on the 3-2-1 Backup strategy. 👅
- Cyborus: can we get a link to the talk?
- Nahum: https://www.youtube.com/watch?v=Q9s2NxILBK8
- Nahum: https://digital-lab-wp.consumerreports.org/wp-content/uploads/2023/01/Memory-Safety-Convening-Report-.pdf via https://digital-lab-wp.consumerreports.org/2023/01/23/new-report-future-of-memory-safety/
- Nahum: https://en.wikipedia.org/wiki/Pegasus_(spyware)
- Cyborus: "can we talk" => "hey. you. have a panic attack. anyways i got a cool sandwich"
- AaronW: "of course we should have seatbelts" 😄
- MattCampbell: but then you've got the C die-hards who say that Rust itself is too complex
- AaronW: https://twitter.com/markrussinovich/status/1571995117233504257?s=46
- DanCrossNYC: People used to say the same thing about PL/I and recently the COBOL people have been saying the same thing. Nothing new under the sun.
- statuscalamitous: https://blog.yossarian.net/2023/02/11/The-unsafe-language-doom-principle
- DanCrossNYC: People who still want to treat C as a high-level assembler are saying the same stuff the PL/I people were saying when I was young.
- Eric Likness - carpetbomberz.com: In support of Yael, Ralph Nader wasn't/isn't an automotive engineer and he could still argue for lowering safety risks to car buyers. It's advocacy.
- cdaringe: As an ocaml user, i was hoping revery would take off https://github.com/revery-ui/revery
- statuscalamitous: https://press.princeton.edu/books/hardcover/9780691174952/the-tyranny-of-metrics
- Saethlin: Wake up babe, new 0xide reading assignment dropped
- AaronW: Labelled like a can of pringles -- "20% more malloc() free()!"
- Nahum: Relevant to rules based accounting: https://www.schneier.com/blog/archives/2023/02/hacking-the-tax-code.html
- drew: Rigorous definitions of “unsafe code” just wont cut it ig
- ig: 40% less direct pointer arithmetic than the leading brand of operating systems
- a172: How does principle based accounting even work? Like, how do you define if something violates the principle or not, without just turning it back into rules based?
- Eden: Checkboxes are meaningful for operational checklists. Aviation and medicine use them pretty heavily. Not so meaningful for systemic work like developing a new aircraft or a new surgery.
- Eden: So I guess a rules-based approach works for lines of code, but breaks down for project-level decisions such as which language to use.
- Saethlin: The S in IoT is for security
- benstoltz: ifixit repairability score for HW should have an analog for SW/FW.
- DanCrossNYC: That's precisely what the pl/i folks acted like 25 years ago.
- sam801: c++ will live on thru carbon, cppfront, and val.
- DanCrossNYC: Prediction: carbon is doa.
- Saethlin: I'll believe it once anyone uses those
- ig: I think the other part is there's some really important pieces of software that everyone uses daily which use memory unsafe languages. Our web browsers, and our operating systems.
- AaronW: I live in a condo and I still unplug expensive electronics during a thunderstorm. Maybe it's because I had many electronics fried when I was young, and my first language was C++.
- Eric Likness - carpetbomberz.com: Same with answering a landline during a thunderstorm.
- DanCrossNYC: Had to stop training during thunderstorms in the Marines.
- Eden: My day job is security. 😉 I rail against compliance checklists on a regular basis because a lot of auditors insist on the checkbox rather than proper security consideration. For example, PCI-DSS requires password rotation, which everyone has known for decades leads to users picking worse passwords.
- alilleybrinker: https://www.usenix.org/system/files/sec22summer_alexopoulos.pdf
- statuscalamitous: https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html
- a172: Google and Mozilla are making pretty good strides in migrating their browser to Rust. Still a ton of work to go, but entire systems have been moved to Rust.
- JamesBrock: "Lindy" https://en.wikipedia.org/wiki/Lindy_effect
- statuscalamitous: https://security.googleblog.com/2021/04/rust-in-android-platform.html
- DanCrossNYC: Another issue with C/C++ in particular is that UB causes latent bugs to surface years later.
- alilleybrinker: In the paper linked above, the average lifetime looks to have been about 3.5 years.
- Saethlin: I learned Rust faster than C++
- alilleybrinker: Related, you might be interested in EPSS: https://www.first.org/epss/
- DanCrossNYC: Rust requires a bit of humility. For veteran C programmers, that can be a gut punch.
- srockets: “Compiler says no” is something that Haskell was proud of, but Rust is the first language I’ve seen that managed to get popular despite of it
- alilleybrinker: Humility also requires a lot of Rust https://github.com/oxidecomputer/humility
- Eden: I do like the checklist item that every change must be accompanied by a ticket number. Then the company goes and changes the ticket system, and we lose all our history of why things are in place until it slowly builds up again.
- Eden: Seriously, checklists are great for operational tasks. Always include a ticket number. Always back up the config in this way ahead of time. Always notify these teams in this way when you're starting a change.
- AaronW: I have often wondered about learning multiple languages in parallel.
- JamesBrock: The easiest language to teach and learn will be Roc lang, too bad it's not ready yet.
- AaronW: A Python and Rust/Go, etc.
- srockets: As a first programming course?
- alilleybrinker: I've taught Rust to undergrads in a university Programming Languages course, which was it's own unique thing because it's about learning underlying concepts, not Rust per se.
- drew: We are getting dangerously close to the “teaches class in rust and then realizes it was a bad idea” prediction..!.
- ig: Under the "Government and Advocacy" part of the recommendations - there's probably an angle where FedRAMP Authorization could be used to drive increased usage of memory safe languages.
- srockets: As a first programming course I don’t think it’s going to work. As 2nd course, that would be great dedactically I think
- ahl: why not the SEC?
- statuscalamitous: everything is securities fraud
- alilleybrinker: Unsafe code? Securities fraud
- alilleybrinker: https://www.c-span.org/video/?c4808083/user-clip-rust-language-chosen
- alilleybrinker: Clip of that hearing.
- DanCrossNYC: At what point do we start putting in place Professional Engineer qualifications for software engineers, overseen by IEEE or something
- Eden: There are very few aircraft manufacturers and very few aircraft operators compared to software manufacturers and distributors/operators.
- Cyborus: "our product isn't hackable" is just seen as a challenge
- AaronW: Unbreakable Linux!
- Eden: So when there's an incident with an aircraft, the NTSB has very few people to talk to in the investigation.
- mxshift: "isn't hackable" usually is in the same list as "military-grade encryption"
- statuscalamitous: http://www.paulgraham.com/hijack.html
- Cyborus: oh that's awful
- alilleybrinker: Wow and it's still up
- Sevan: https://www.youtube.com/watch?v=vqgS4UT8Lp4
- ig: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Section 4 is all about the software supply chain, and in this case it was the Secretary of Commerce and NIST was involved. Don't think it mentions memory safety, though.
- ahl: Klabnik 2024!
- ig: https://en.wikipedia.org/wiki/Iron_Ring
- alilleybrinker: Hey, also fun to note that the OpenSSF has an in-progress workstream (starting this week) to advocate for / advance the use of memory safe languages in open source.
- Saethlin: The Silicon Ring
- Nahum: For me the Therac 25 paper in college was really chilling.
- benstoltz: https://en.wikipedia.org/wiki/Therac-25
- Eden: https://en.wikipedia.org/wiki/Ritual_of_the_Calling_of_an_Engineer
- ahl: Oxide challenge coins!
- Dignissi: Perhaps a ring buffer?
- shandrew: Count me in for a challenge coin!
- DanCrossNYC: Challenge coins are a military thing.
- Nahum: https://en.wikipedia.org/wiki/Challenge_coin
- DanCrossNYC: Oorah!
- AaronW: https://twitter.com/beaker/status/414894015926902785?s=46
- DanCrossNYC: https://terminallance.com/2010/04/06/terminal-lance-27-challenge-coins-not-a-grunt-thing/
- alilleybrinker: It would be fun to go through the CWE (Common Weakness Enumeration) view for "Weaknesses in Software Written in C" and then characterize exactly which ones Rust stops: https://cwe.mitre.org/data/definitions/658.html
- mxshift: Taps "CVEs are a communications and coordination tool, not a quality metric" sign
- Nahum: https://99percentinvisible.org/episode/coin-check/ was a great episode on challenge coins.
- shandrew: Our “moving Flickr out of yahoo” challenge coin https://flic.kr/p/2ogMSFg
- Sevan: https://twitter.com/MiodVallat/status/519065338898837505
- meta: thank you yael!! "- a172: I pulled this up thinking it may be a good basis for a coin design. I don't think that's actually the case, but it is cool and people here might like it: https://www.redbubble.com/i/sticker/Rust-colored-by-ShoeBill99/38427192.EJUG5"
- AaronW: This has been fascinating, thank you <@568519940550688778>, Oxide, and friends.
- alilleybrinker: Great conversation! Thanks yael, and everyone else!
- od0: god bless
- AaronW: "Bless your heart"
- AaronDGoldman: Bless your heart
- Nahum: "Good on you" I've heard in the Australian kids TV show "Bluey"
- od0: bless up, Rust
- Eric Likness - carpetbomberz.com: unikernel is right out
- shandrew: Thanks Yael!
- admchl: This was so interesting, great talk
- AaronDGoldman: Memory safe unikurnal
- yael: Ha! I tried to get grad school friends off GroupMe and onto Signal but no luck
- bcantrill: The podcast on the Quebec Bridge collapse that I alluded to: https://huffduffer.com/adactio/513171
- bcantrill: The Brady Heywood podcast is terrific -- highly recommend all of them
- yael: It's not Rust, but this is the intro Python course I mentioned https://www.edx.org/professional-certificate/introduction-to-python-programming
- yael: Oh and the Digital Standard! https://thedigitalstandard.org/standard/
- yael: Last thing! https://blog.yossarian.net/2023/02/11/The-unsafe-language-doom-principle
If we got something wrong or missed something, please file a PR! Our next show will likely be on Monday at 5p Pacific Time on our Discord server; stay tuned to our Mastodon feeds for details, or subscribe to this calendar. We'd love to have you join us, as we always love to hear from new speakers!
Creators and Guests
