Re: The Case for Rust (in any system)

On 12 Sep 2024, at 00:14, Alan Somers <asomers@freebsd.org> wrote:
> 
> "Memory safety == restrictive training wheels" is just a common
> misconception.

It’s worth thinking about why programming languages exist. Any modern language is Turing complete. In terms of what can be expressed, there is no difference between Rust, C, and C++. The important thing is that there is an infinite set of possible programs and a finite set of desirable programs. The goal of a programming language is to make it easier to express programs in the set of desirable programs than ones that are not in that set. Sometimes this is skewed away from specific sets.

The reason that we care so much about memory-safety bugs is that they allow an attacker to step completely outside of the abstract machine of the program. Unless you embed an interpreter/ compiler in your program, memory-safety bugs are about the only way that an attacker can get arbitrary code execution in your program. The kind of bug where an attacker provides a specially crafted file / blob of network data and then runs code on your machine is typically the worst thing that can happen.

Rust, in particular, skews towards making programs with memory-safety bugs much harder to represent. You can still do it, by using unsafe or relying on unsoundness in the type system as cve-rs does, but you have to try hard.

I consider that a desirable property in a language. I don’t have to think about whether I’ve made these bugs impossible (and, remember, WannaCry cost billions of dollars and depended on a single memory-safety bug), I get that for free and I can focus on other things.

David