> Doesn’t Rust also provide buffer overrun protection, without needing a special OS or CPU instruction set?
No, because there’s still quite a lot of (inevitable) Unsafe Rust code floating around, and the compiler can’t protect these from memory-related errors. In fact there are some ongoing discussions and progress to support CHERI in Rust:
So using Rust without using unsafe, is akin to using CHERI while ensuring the toolchain and hardware has support.
If we can be careful enough to use Rust minus unsafe, then you’re getting all the benefit without needing special hardware.
I guess my problem with this approach is that it’s not a drop-in replacement. Something will get missed and you’ll lose any CHERI guarantees along with that.
It would be cool to have a QEMU CPU with CHERI support to test some of these scenarios.
No, because there’s still quite a lot of (inevitable) Unsafe Rust code floating around, and the compiler can’t protect these from memory-related errors. In fact there are some ongoing discussions and progress to support CHERI in Rust:
[0] https://faultlore.com/blah/fix-rust-pointers/
[1] https://tratt.net/laurie/blog/2022/making_rust_a_better_fit_...
[2] https://archive.fosdem.org/2023/schedule/event/rust_a_rusty_...