From nobody Tue Jan 23 15:10:40 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TK9Wq01Yrz570xS for ; Tue, 23 Jan 2024 15:10:47 +0000 (UTC) (envelope-from robert@rrbrussell.com) Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4TK9Wp2gqCz4cNW for ; Tue, 23 Jan 2024 15:10:46 +0000 (UTC) (envelope-from robert@rrbrussell.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=rrbrussell.com header.s=fm2 header.b=aD3sONGX; dkim=pass header.d=messagingengine.com header.s=fm3 header.b="l q/GVQ7"; dmarc=pass (policy=quarantine) header.from=rrbrussell.com; spf=pass (mx1.freebsd.org: domain of robert@rrbrussell.com designates 64.147.123.20 as permitted sender) smtp.mailfrom=robert@rrbrussell.com Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailout.west.internal (Postfix) with ESMTP id 3876C3200B27 for ; Tue, 23 Jan 2024 10:10:44 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Tue, 23 Jan 2024 10:10:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rrbrussell.com; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1706022643; x=1706109043; bh=ma4j8/1+UG4k68esU3zhHpuLZ+h+5iZEsuapiyMH+2k=; b= aD3sONGXYx+FMfTIjEFeqlWHmKL/Yx4NFi2x7WXJdak8L789ti7FIAWjr9whvxNF BJ9Dst1APnCZcxcK4oKr9mbKepSfv2JzaZh3YopaiiufJRfjZ2kNz03PToHqOcP0 NM2+2EJve/PYZYqgnAT3fJ64/Y0u1PquH49lXh83iVY6KkenGQWMAICKcjvNR8S8 H8osKFOkgTGaTcMtUDNFNmaxE/L93GYgw9sIYKU8KFXamWDn3AOiwnuro0Hqk0b8 Hho+XKdpMG96rFAcH969EBCxRKkqA7Vx4LGJc+dkaLcWzODlzyu30o5ESCwiqHac NYS+A8BEBaHQqTkubfdhcA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1706022643; x= 1706109043; bh=ma4j8/1+UG4k68esU3zhHpuLZ+h+5iZEsuapiyMH+2k=; b=l q/GVQ7YfoIJaaqnSXbikTF30Q+izcGVOszOtj+nxuKe7/XoMGcSbhUtznXt2jibR 0P24J5R0sh4tG60PIU6Mhy+0L70XxOVGjwCjn2iz411fUSgz3qPW22sMJW0Av/JC 7l2C09ZTfQniGyZjKUQQjBNKllnZJ3JnFlx5dF40onvP2aj8W/IfE8t+XQd3KI+B 0PiYFZWZZG+OSzsbzPhTslVrOFLLIfNxKjpR3lfUfVFb7FrTzHQMxoQsxvddsGAE P8r9COdXQKgpQ1GH9ukWHnKMU9Re/LnZY63u9cOX9n49HDdicE4CY1hXmtzfY6vK wZ//7uivxvGaUE5iIogPw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrvdekkedgjeduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkjghfofggtgfgsehtqh ertdertdejnecuhfhrohhmpedftfhosggvrhhtucftrdcutfhushhsvghllhdfuceorhho sggvrhhtsehrrhgsrhhushhsvghllhdrtghomheqnecuggftrfgrthhtvghrnhephfehfe ffieeihfdutdeugfffjeeiffeuhedtgfejfeeugeegheekgfdvvedtffeknecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprhhosggvrhhtsehrrh gsrhhushhsvghllhdrtghomh X-ME-Proxy: Feedback-ID: ie421460a:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Tue, 23 Jan 2024 10:10:43 -0500 (EST) Date: Tue, 23 Jan 2024 09:10:40 -0600 From: "Robert R. Russell" To: freebsd-hackers@freebsd.org Subject: Re: The Case for Rust (in the base system) Message-ID: <20240123091040.18c4ffcf@venus.private.rrbrussell.com> In-Reply-To: References: <1673801705774097@mail.yandex.ru> <202401210751.40L7pWEF011188@critter.freebsd.dk> <40bc1694-ee00-431b-866e-396e9d5c07a2@m5p.com> <20240122165452.13733a66@venus.private.rrbrussell.com> X-Mailer: Claws Mail 3.19.1 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.50 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[rrbrussell.com,quarantine]; RWL_MAILSPIKE_EXCELLENT(-0.40)[64.147.123.20:from]; R_DKIM_ALLOW(-0.20)[rrbrussell.com:s=fm2,messagingengine.com:s=fm3]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.20]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.20:from]; MIME_GOOD(-0.10)[text/plain]; DKIM_TRACE(0.00)[rrbrussell.com:+,messagingengine.com:+]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US]; MIME_TRACE(0.00)[0:+]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[robert]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DWL_DNSWL_NONE(0.00)[messagingengine.com:dkim] X-Rspamd-Queue-Id: 4TK9Wp2gqCz4cNW On Tue, 23 Jan 2024 09:30:04 +0000 David Chisnall wrote: > On 22 Jan 2024, at 22:54, Robert R. Russell > wrote: > >=20 > > If you had to estimate what is the cost of enforcing better C++ > > code? =20 >=20 > For CHERIoT RTOS, we use clang-tidy to run the static analyser. It=E2=80= =99s > the longest CI job, by quite a large margin, but it=E2=80=99s a small eno= ugh > project that we haven=E2=80=99t felt the need to trim what it runs on, so= we > run it on *every* file on every commit to a PR. =20 >=20 > It=E2=80=99s also something that you need to do from the start. If you r= un > the clang analyser or Coverity on FreeBSD, you get a vast number of > false positives and so having a =E2=80=99no warnings=E2=80=99 policy is i= mpossible to > enforce. I would recommend doing it on a per-compilation-unit basis: >=20 > - New files must have no new warnings. > - Old files get opted in once they=E2=80=99re clean and must then have no > new warnings. > - Anything that explicitly silences a false positive needs sign-off > from two committers in code review. >=20 > At the very least, the last point will likely get the comment ratio > up a bit, since the code will need to actually be readable by other > people to make it into the tree. >=20 > Even then, there=E2=80=99s likely to be a bit of churn when you update to > newer versions of the analysers. >=20 > Making this work really just needs build system infrastructure to > generate a compile_commands.json (something that any build system > that isn=E2=80=99t Make can do. I know MaskRay has written some scripts to > try to generate one from bmake but I couldn=E2=80=99t get them to work) a= nd > some work from the CI team. They=E2=80=99re currently understaffed and > under-resourced. =20 >=20 > > I am not familiar with Lua and most of my experience with Lua like > > languages have included dynamic code injection as an attack vector. > > Is it feasible to protect Lua from that problem in the use case you > > propose? =20 >=20 >=20 > Yes. Don=E2=80=99t call `eval` on untrusted input. >=20 > David >=20 I was more considering issues similar to abusing LD_PRELOAD before running a setUID executable or uploading a php or python file into the media portion of a website and then fetching it. Naive webserver configurations tend to execute the uploaded code instead of just serving the file. Think something similar to the big log4J disaster a year or so ago. Eval is simply the cheapest and quickest way to screwup. It looks like lua's import paths can be fairly well locked down in embedded mode so a small shim might be needed then.