
Redox OS Crash Challenge - dragostis
https://github.com/redox-os/redox/issues/1136
======
halayli
Rust being advertised as a safe language (which is true) got so much into the
user's heads that they think if they write it in Rust it's safe and crash free
by default. There are plenty of security/safety bugs that aren't about
dereferencing a null or accessing invalid ptr.

No cynicism intended, just an observation from what I see around.

~~~
surajrmal
> Rust being advertised as a safe language (which is true) got so much into
> the user's heads that they think if they write it in Rust it's safe and
> crash free by default. There are plenty of security/safety bugs that aren't
> about dereferencing a null or accessing invalid ptr.

> No cynicism intended, just an observation from what I see around.

The difference is what happens when a bug is encountered. If it is caught and
panicked upon, then that is safe predictible behavior that cannot be exploited
into something like privilege escallation.

~~~
hedora
I remember when all the same arguments were made about Java, which led people
to ignore the possibility of memory leakage and privilege escalation, even
though both those things are common problems with idiomatic Java.

For instance:

Swing recommends you register callbacks all over the place, but those cause
otherwise dereferenced windows to stay live from the GC’s perspective (this is
a general problem with the callback pattern, not swing).

Java serialization surfaces all sorts of private methods to outside processes
via the reflection APIs, which is even easier to exploit than arbitrary memory
stomping in C.

Practically everything can throw a null pointer exception, and all generics
code can throw ClassCastExceptions. Writing all the error handling logic for
this is at least as hard as restricting yourself to a memory-safe subset of
C++ templates. If you miss an error handling case, an attacker can use that to
escalate up to increasingly high level invariant violations in your code.

Basic things like “final” have ill-defined semantics with multithreaded code
(final fields can change value, even without reflection).

I don’t know Rust well enough to know which classes of these bugs it has (and
I doubt the Rust community really does either—-it took the Java world a decade
to notice some issues like the above).

With the exception of the “final” problems, I think fixing any of the things I
listed reduces to solving the halting problem, or giving up on using turing
complete languages.

This makes me skeptical of many claims coming from Rust proponents at the
moment.

~~~
lordnaikon
> I don’t know Rust well

That is one problem and i don't want to attack you. This is something Rust
needs to work on! Rust is indeed a relatively hard language to learn and
understand and it is not really clear from the beginning nor in the
intermediate level if its worth the effort. I can only speak from an empirical
standpoint. Time showed – to me and maybe i am the only one – that i have
fewer bugs in general, especially in the late stage of development. Rust tends
to feel a little viscid in the beginning but it catches up later where you
don't try to find a race condition in a 100k cloc Program. Rust has a good way
to reason about your program especially in a multi threaded environment. And
this is where Rust is fundamentally different of what we – as programmers –
have experienced in the wild. Yes there are many efforts in academia and
research languages but non of them are used outside.

Rust does nothing new or has concepts that are not strongly researched in
academia. Rust is trying to bring those findings into the wild.

In Rust practically nothing can throw null pointer exceptions or class cast
exceptions. Rust don't let you express ill-defined semantics with multi
threaded code – you can't have data races.

And this implies – of course – that the set of programs that you can write in
safe Rust is smaller than in C/C++/Java/C# ... you can't possibly write
programs with data races or dangling pointers / null pointers. Thus making
like 60% of all CVE's (i pulled this number out my ____) impossible to write.

Rust can't prevent you from making logical errors but it can help you
preventing various categories of bugs we see in the wild exactly now.

Rust has many problems of its own kind, but none of the ones you listed above.
immaturity in its ecosystem due to its short lifetime, steep learning curve
and many more. But it can deliver very well in certain disciplines today.

~~~
eat_veggies
Do you recommend any resources to learn rust?

~~~
erickt
The official rust book [1] is a great place to start. So are the exercism
tutorials [2]

[1] [https://doc.rust-lang.org/book/](https://doc.rust-lang.org/book/)

[2]
[http://exercism.io/languages/rust/about](http://exercism.io/languages/rust/about)

~~~
swsieber
Version 1 or 2 of the rust book?

~~~
steveklabnik
Author here. 2 is much better. And it’s almost done; we’re mostly in editing
and bikeshedding the opening paragraph.

------
davisdude
Related: the Changelog podcast did a really good interview with the
developer[1]. It's pretty long but worth the listen IMO.

[1]: [https://changelog.com/podcast/280](https://changelog.com/podcast/280)

~~~
pohl
I listened to this last night; it’s great.

------
snvzz
I'd rather trust something with a formal proof, such as seL4.

[https://sel4.systems](https://sel4.systems)

~~~
steveklabnik
It's being worked on! part of libstd was formally verified, as well. Lots of
more work to be done though. [http://plv.mpi-
sws.org/rustbelt/](http://plv.mpi-sws.org/rustbelt/) was even just presented
at POPL!

------
andrewstuart
This was the output I got when I followed the instructions from the book: -
what should I have seen? Can you suggest what I can do to make it work?

    
    
      (venv3.5) root@ubuntu-s-1vcpu-1gb-nyc1-01:~# qemu-system-x86_64 -serial mon:stdio -d cpu_reset -d guest_errors -smp 4 -m 1024 -s -machine q35 -device ich9-intel-hda -device hda-duplex -net nic,model=e1000 -net user -device nec-usb-xhci,id=xhci -device usb-tablet,bus=xhci.0 -enable-kvm -cpu host -drive file=redox_0.3.4.bin,format=raw  -nographic
      pulseaudio: pa_context_connect() failed
      pulseaudio: Reason: Connection refused
      pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver
      ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
      ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
      ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
      ALSA lib conf.c:4771:(snd_config_expand) Evaluate error: No such file or directory
      ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM default
      alsa: Could not initialize DAC
      alsa: Failed to open `default':
      alsa: Reason: No such file or directory
      ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
      ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
      ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
      ALSA lib conf.c:4771:(snd_config_expand) Evaluate error: No such file or directory
      ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM default
      alsa: Could not initialize DAC
      alsa: Failed to open `default':
      alsa: Reason: No such file or directory
      audio: Failed to create voice `dac'
      ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
      ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
      ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
      ALSA lib conf.c:4771:(snd_config_expand) Evaluate error: No such file or directory
      ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM default
      alsa: Could not initialize ADC
      alsa: Failed to open `default':
      alsa: Reason: No such file or directory
      ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
      ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
      ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
      ALSA lib conf.c:4292:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
      ALSA lib conf.c:4771:(snd_config_expand) Evaluate error: No such file or directory
      ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM default
      alsa: Could not initialize ADC
      alsa: Failed to open `default':
      alsa: Reason: No such file or directory
      audio: Failed to create voice `adc'
      qemu-system-x86_64: terminating on signal 15 from pid 8287
      (venv3.5) root@ubuntu-s-1vcpu-1gb-nyc1-01:~#

~~~
tiles
Remove some of the extra options from the list, like the ich9-intel-hda device
probably can't be run on your machine.

