
Microsoft is creating a new Rust-based programming language for secure coding - ToFab123
https://www.zdnet.com/article/microsoft-were-creating-a-new-rust-based-programming-language-for-secure-coding/
======
saagarjha
Video where this was introduced, which has more details:
[https://vimeo.com/376180843](https://vimeo.com/376180843)

Slides: [https://www.slideshare.net/KTNUK/digital-security-by-
design-...](https://www.slideshare.net/KTNUK/digital-security-by-design-
security-and-legacy-at-microsoft-matthew-parkinson-microsoft)

~~~
zozbot234
The slides don't really add much detail. They're just a light introduction to
the sort of region-based memory management that was already being used by
Cyclone, well before the Rust project was even a thing.

~~~
pjmlp
The video explains more:

\- Need to keep old insecure code around, too much money to rewrite the world
from scratch in Rust, C#, or whatever safe language makes your day

\- They are just starting the project, so far only interpreter and runtime
model

\- It is based on CHERI CPU research
([https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/](https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/)),
which has memory tagging

\- They are planning to open source the existing work in a couple of months

\- Looking for collaboration

~~~
zozbot234
> Need to keep old insecure code around

That's what process boundaries are for. (As a bonus, you get protection from
any Spectre-like issues arising in the old code.)

~~~
pjmlp
Process boundaries don't protect against internal exploits, which is what most
of the C and C++ exploits are all about.

If you are able to force a process to change its behaviour, the process
boundaries become useless.

~~~
saagarjha
Process boundaries _specifically_ protect against these exploits.

~~~
pjmlp
So how does a process boundary protect against Heartbleed?

~~~
saagarjha
Process boundaries help you when you start jumping through a ROP chain that
spawns a shell because your process doesn't have access to things that it
shouldn't, even when compromised. Calling Heartbleed an example of a process
"changing its behavior" doesn't really make sense in the context of exploits
that can cause arbitrary code execution.

~~~
dx87
You don't have to spawn a shell as a seperate process. Injecting and executing
code inside a vulnerable process has been done for a long time.

~~~
saagarjha
A shell spawned in an unprivileged process is not very useful.

~~~
pjmlp
One doesn't need to spawn a shell.

~~~
iCodeSometime
Injecting and executing code inside an unprivileged process is not very
useful.

~~~
pjmlp
Some black hats would consider stealing data, data corruption or triggering
DOS already very useful for ransonware.

------
Animats
I'm curious to see what Microsoft does.

The big breakthrough with Rust was ownership, and Microsoft seems to agree on
that. Rust has a lot of other baggage that could be dispensed with. Of course,
Microsoft has their own baggage.

~~~
hu3
More precisely Cyclone already had borrow checker over a decade ago. Rust
derives much of its memory model from that language.

~~~
danielscrubs
Which is awesome. Standing on the shoulders of giants and all that.

------
Someone1234
This slideshow is pretty interesting (in particular slide 14):

[https://www.slideshare.net/KTNUK/digital-security-by-
design-...](https://www.slideshare.net/KTNUK/digital-security-by-design-
security-and-legacy-at-microsoft-matthew-parkinson-microsoft)

Talks about sandboxing C/C++ libraries that interact with Rust. Kinda make a
safe unsafe sandbox Rust interface ("less unsafe?") if I understand it
correctly (I likely don't).

The actual linked article is all over the place, I cannot make heads or tails
of it and seems to be conflating multiple security issues/mitigations together
into a mish mash.

~~~
pjmlp
You really need to watch the video.

Basically a new language for system software and containers that allow to tame
existing software, due to the expenses of rewriting everything into safe
languages.

It is based on the CHERI tagged architecture.

[https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/](https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/)

Just starting now, they have done the ground work, will open source it and are
looking for collaborators.

------
DrBazza
Midori v2?

[http://joeduffyblog.com/2015/11/10/objects-as-secure-
capabil...](http://joeduffyblog.com/2015/11/10/objects-as-secure-
capabilities/)

~~~
bloaf
You mean Sing#?

[https://en.wikipedia.org/wiki/Sing_sharp](https://en.wikipedia.org/wiki/Sing_sharp)

------
aikah
I'm surprised Microsoft didn't "invent" their own version of Go yet. Actually
I'd use it in a heartbeat over Google's if they add generics to it. Just call
it "Micro".

~~~
LessDmesg
This so much! Go would be a great language if it had generics and no
"interface {}". I'd use that over any flavor of Rust any day.

~~~
kerng
I'm curious what the next big language iteration will bring. It's been a while
that I got excited about a new language, last time was probably C#, but that's
20 years ago... Crazy, that there hasn't been any new language revolution sort
of how Java was one. But maybe I should look more into new things like Julia,
but they seem a bit niche.

~~~
Rotareti
I hope the next big programming language will be one that is split into two
language-variants: the "low-level-variant" and the "high-level-variant".

The high-level-variant is a dynamic language with optional typing, which is
good for scripting, fast prototyping, fast time-to-market, etc.

The low-level-variant is similar to the high-level-variant (same syntax, same
features mostly, same documentation), but it has no garbage collector, typing
is mandatory and it runs fast like C/C++/Rust. Compiled packages that are
written in the low-level-variant can be used from the high-level-variant with
minimal effort or without additional effort at all. The tooling to achieve
this comes with the language.

~~~
afiori
Proponents would say that julia is both languages at the same time

~~~
Recurecur
Yes, and I think Julia is a perfect starting point for an extremely productive
general purpose language.

The one major wart with Julia is reliance on GC, I'm interested to hear what
workarounds exist. If no common usage patterns rely on the GC, it should be
possible to write "recycling" code that doesn't incur GC pauses and hence,
unpredictable latency.

I really enjoy using Julia, it's a great balance of concision, expressiveness,
and performance.

~~~
KenoFischer
There is a common demand from people for extracting just a very concrete
computation from a julia codebase and compiling it to a standalone library (or
even just using it within an existing julia program, but guaranteeing certain
allocation or real time behavior). For example, julia includes a pure julia
implementation of libm, but we also maintain the openlibm C library, since we
link it into some of our C dependencies that need good quality math functions.
It would be nice just to compile the julia version and have it be a drop in
replacement for the libm that can be linked. Of course for that you don't want
the runtime, or GC or code generator. The challenge here is coming up with the
right interfaces and abstractions to make this a feasible and useful thing,
without splitting the community into those that care about it and those that
don't. We've started some work in this direction, but it isn't really usable
yet.

~~~
byt143
This sounds amazing and exactly what people have been clamoring for. Extremely
excited.

I think it will also rocket up Julia's popularity and usage not just for ML
but as a general purpose language

------
quantified
I _really_ like the idea of implementing mutability control at the level of a
collective as opposed to a single object. A great many transactions are multi-
object.

Love the idea that a Netscape-legacy language has traction there. I hope they
don’t return to their pre-Nadella practices.

~~~
est31
Actually in Rust you have a problem where you can't express partial access to
a struct at a function level. This means that you can't put some code into a
separate function right now, making use of closures/iterators harder. There
are attempts to fix this ([1] [2]). If borrow checking is done on collections
of objects instead, the problem can be tackled more easily I think.

[1]: [https://github.com/rust-lang/rust/issues/53488](https://github.com/rust-
lang/rust/issues/53488)

[2]:
[http://smallcultfollowing.com/babysteps/blog/2018/04/16/rust...](http://smallcultfollowing.com/babysteps/blog/2018/04/16/rust-
pattern-rooting-an-rc-handle/)

~~~
roca
There's some friction there, but in practice it's easy to work around most of
the time. I'm not sure extending the type system there is worth the weight.

------
zelly
This is great news. Microsoft is adopting/forking Rust. That means Rust will
be supported for all eternity.

~~~
throwaway2048
Or at least Microsoft Visual R++

~~~
nirui
That will be very sad if it's the case.

One reason of why I'm using Rust is because it's built by a group of people
that I like, and Microsoft is not on that list.

However, I always keep a open-mind, I mean, I don't see anybody will be hurt
if Microsoft become a direct contributor of Rust language itself. In fact, I
could like Microsoft a bit if they did invest in Rust. I hope they do that
<delete>instead of trying to fork things/build something alike (if that's the
case here)</delete> (I watched their intro, their design is different than
Rust and I somehow like what they did there).

~~~
sectiondetail
I'm about as old-school anti-Microsoft as it gets (I had a 4-digit slashdot
ID!) but even I have to admit that they've been pretty serious in offering
olive branches to the broader open source community in the past decade. I'm
prepared to give them the benefit of the doubt.

If someone had told me ten years ago that my favourite code editing
environment on the Linux desktop ten years later would be browser-tech-based,
MIT-licensed, and made by Microsoft, I'd have stared at them like they had
just grown a second head. But here we are. Interesting times, man.

------
hybrids
Found the article to be somewhat vague and found this slideshare presentation
which was...a little less vauge.

[https://www.slideshare.net/KTNUK/digital-security-by-
design-...](https://www.slideshare.net/KTNUK/digital-security-by-design-
security-and-legacy-at-microsoft-matthew-parkinson-microsoft)

It _seems_ like they want to do something like Rust, but with a new focus on
regionalized memory management.

------
dlbucci
What does "Rust-based" even mean? Inspired by Rust? Does it transpile to Rust
or something? Very confusing phrasing to me...

~~~
jandrese
Historically it means they would start with Rust and then add in just enough
Windows proprietary stuff to make it not run on any other platform.

~~~
cududa
Given their past years of behavior and focus on dev tools, what in the world
makes you think that would be the case? They ported their chromium browser to
every platform from day 1.

~~~
astrodust
Two words: Steve Ballmer.

~~~
danso
The former CEO who retired five years ago?

~~~
astrodust
Yes. That's why people are still super nervous whenever Microsoft dares to
embrace something new. Past experience.

I'm not saying they're like that today, but that's why some people get all on-
edge when Microsoft does things like this.

~~~
danso
But he’s not the CEO any longer and he hasn’t been for years. So why is what
he did more than a decade ago relevant absent of evidence that he has any
direct control of the company today?

~~~
slightwinder
One CEO doesn't make an evil empire. Bad influence remains. Many evil minions
that were forged from Bill Gates and then Steve Ballmer are still in the
company. And ontop of this, Microsoft is still a big money-driven Company, so
some natural evilness is always there.

Microsoft has become better in the last years, but they still do bad things.
So why should people trust the wholeheartly?

------
microcolonel
Seems like Microsoft really needs Rust. They've completely gutted their prized
aggressive prerelease testing, and the quality of the software they expose
users to has declined dramatically.

~~~
pimeys
I heard 70% of their bugs are related to memory handling or off-by-one errors.
About 7 severe bugs per year. It can cost them from anywhere between 100k to
10M to fix the bugs and problems caused by these bugs.

------
Communitivity
This so reminds me of when I hear of J#, and again when I heard of C#. Will it
be called R#?

------
gigatexal
What a huge validation of Rust. Here’s to hoping this improves Windows.

~~~
techntoke
Lol, if they wanted to make it better they'd adopt some practices and tools
from Linux to get common-sense developers interested instead of looking for MS
drones that don't know why they do what they do.

~~~
mkl
They did: [https://docs.microsoft.com/en-
us/windows/wsl/about](https://docs.microsoft.com/en-us/windows/wsl/about)

Linux tools run on Windows 10 just fine. WSL 2 even uses an actual Linux
kernel.

~~~
techntoke
WSL performance is terrible not to mention WSL 2 is still pre-release with
lots of bugs and so is their updated terminal app. I don't even think WSL 2
will support Docker, and it is using a broken VM and Plan 9 to share files so
you lose most of the performance benefits of Linux. It appears MS is trying to
get people to try Linux on Windows and make it bad so that they get a negative
first impression.

------
craftoman
I think it's gonna be something good from the creators of Typescript, the most
flexible and object oriented language. Microsoft created too many languages
compared to any other company and they really one step ahead in this field.

------
danielscrubs
Impossible! Java-heads consider this solved! /s

------
hordeallergy
How long before redox will run on my surface?

------
Ziomislaw
embrace, extend, extinguish once again?

------
pjmlp
For the hating Microsoft crowd, here are the projects where they are also
using Rust,

[https://msrc-blog.microsoft.com/?s=rust](https://msrc-
blog.microsoft.com/?s=rust)

And the talks done about the internal adoption,

[https://www.youtube.com/watch?v=qCB19DRw_60](https://www.youtube.com/watch?v=qCB19DRw_60)

[https://www.youtube.com/watch?v=o01QmYVluSw](https://www.youtube.com/watch?v=o01QmYVluSw)

And the author from C++/WinRT is now working on Rust/WinRT.

[https://kennykerr.ca/2019/11/05/rust/](https://kennykerr.ca/2019/11/05/rust/)

So lets wait a bit before going to the castle with the pitchforks and torches.

~~~
JNRowe
As a big proponent of F# it annoys me how much one still needs to fight "but
M$" arguments if I point out a thing that F# does well. The same thing seems
to happen when discussing Haskell with people who know just enough to
recognise the influence MSR employees have on it.

It almost makes me wonder how they/we can work around that sentiment now.
Either hope for generational shift to eventually kill it, or perhaps have them
make a point of landing projects outside of MS and hoping nobody
notices(GitHub R++ or whatever).

Tips on how others approach these discussions with Microsoft haters greatly
appreciated!

~~~
orev
“Fool me once, shame on you. Fool me twice, shame on me”

I try to be objective as much as possible, but having witnessed almost all of
Microsoft’s behavior through history, we have been fooled 100s if not 1000s of
times. How many times do you let the fox back into the hen house?

The only thing I think when I read recent “Microsoft is so great” comments is
that the person is either too young to have any real knowledge, or they have
simply not been paying attention for the past few decades.

For anyone who has seen what they have done through all of history, it will
take _decades_ to believe they have truly changed.

~~~
wvenable
All those people who worked at Microsoft in the 90's and 2000's now work for
at hundreds of other companies throughout the industry. And a whole bunch of
people who weren't even born in those times now work for Microsoft.

I don't think your opinion is objective at all. It's based on treating a
collective as a single mind.

~~~
xvilka
Collectives and companies can keep the same culture and habits even if all
people who worked there left. Because people come and leave not in the one go
- they do it gradually, so every new employee is "indoctrinated" into the
company culture, then indoctrinating new people themselves, even if their
mentors left.

------
_bxg1
Argh, they couldn't just contribute to the existing project.

~~~
steveklabnik
Microsoft already contributes to the Rust project; for example, Azure sponsors
our CI.

~~~
techntoke
Lol, they host our data so therefore they contribute. That is some next level
Stockholm Syndrome.

~~~
dralley
They're not "hosting the data" they're donating hundreds of CPU cores and
infrastructure.

~~~
techntoke
So does GitLab and it actually has an open source version.

------
yarrel
RScript.

------
xvilka
EEE strikes again? Why not just use and contribute into the Rust itself? Why
creating one more copy? They could have extended C2Rust[1][2] to support
C++[3] and C# to ease their migration instead.

[1] [https://c2rust.com](https://c2rust.com)

[2] [https://github.com/immunant/c2rust](https://github.com/immunant/c2rust)

[3]
[https://github.com/immunant/c2rust/issues/162](https://github.com/immunant/c2rust/issues/162)

------
sansnomme
Oh no, I bet it's gonna be a C# flavored Rust. None of Rust's terse syntax and
functional influence. It's going to be full-blown Java-style OOP with plenty
of Wnd handles to be thrown around. Yikes, I certainly hope I am not right.

~~~
goto11
Why not a F# flavored Rust?

> plenty of Wnd handles to be thrown around

That is not really a language issue, is it?

