
Microsoft Offers $100k If You Can Hack This Linux Operating System - bishalb
https://www.forbes.com/sites/daveywinder/2020/05/06/microsoft-offers-100000-if-you-can-hack-this-linux-operating-system/
======
pjmlp
Quite curious on the outcome, given that Microsoft has decided to only support
C for application development on Azure Sphere.

~~~
Kipters
You mean as opposed to safer languages like Rust or "friendlier" languages
like Python or Javascript?

~~~
pjmlp
As opposed to C++, Ada, Rust or whatever else that is safer than plain old C.

Although I am aware that outside STL like data structures, C++'s security
story is just as good as C.

NVidia is doing something similar for their automation projects, they have
chosen to go with Ada/SPARK.

Now that is a security story I can buy.

~~~
Kipters
Thanks for the clarification :)

As far as I know all current Sphere hardware is based on an ad-hoc Mediatek
chip[0], which is really underpowered[1], I think this might be a factor. Or
maybe I suppose they're bringing up C first and then build the toolchain for
other languages on top of that?

[0]:
[https://www.mediatek.com/products/AIoT/mt3620](https://www.mediatek.com/products/AIoT/mt3620)

[1]: [https://docs.microsoft.com/it-it/azure-sphere/app-
developmen...](https://docs.microsoft.com/it-it/azure-sphere/app-
development/mt3620-memory-available)

~~~
pjmlp
So far the only times that the discussion has come up, they state that their
target market won't buy something else and there are sanitizers anyway.

Quite strange for a device whose sales pitch is security above anything else.

Yet notice how the "The Seven Properties of Highly Secure Devices" story
doesn't mention anywhere the safety of the programming languages.

Meanwhile on another side of the computer campus we have Microsoft Security
Response Center writing such blog posts [https://msrc-
blog.microsoft.com/2019/07/18/we-need-a-safer-s...](https://msrc-
blog.microsoft.com/2019/07/18/we-need-a-safer-systems-programming-language/)

If you dig into developer requests, there are several posts regarding this,
for example

[https://feedback.azure.com/forums/915433-azure-
sphere/sugges...](https://feedback.azure.com/forums/915433-azure-
sphere/suggestions/38747848-support-c)

Note that I am not advocating that C# would be viable option on Sphere's case,
just the absence to acknowledge C as being the platform Achilles' heel in the
security story that the team selling.

At very least also do hardware memory tagging like Solaris SPARC, iOS and
Android (as of 11) are doing.

