Originally posted by bug77
View Post
Announcement
Collapse
No announcement yet.
BoringTun v0.4 Released For CloudFlare's Rust-Based WireGuard
Collapse
X
-
- Likes 2
-
Originally posted by RahulSundaram View Post
I am aware that but the point I was trying to make is that, the unsafe marker is because in C you don't have a way to verify the safety, that doesn't mean it is automatically insecure, just that the compiler can't make the determination because the C language wasn't built around any strict notions of ownership. However whatever security vulnerability is there isn't caused by the binding, the binding is just the exposure point.
Comment
-
Originally posted by bug77 View Post
Right, but even if the C code is correct, you can still do nefarious stuff inside the unsafe block. Perhaps something as innocuous as making the wrong call or sending the wrong parameters. Of course, when thigs go wrong, the unsafe block itself dramatically reduces things that must investigate.
Comment
-
Originally posted by bug77 View Post
Binding to C code is why unsafe was introduced in the first place. And probably the only place t should ever be used.
I'm a big fan of Rust and their philosophy but people who tend to do things on the high level only get this odd impression that unsafe is this forbidden niche part of the language mostly just for C FFI. That's just not true.
- Likes 2
Comment
-
Originally posted by RahulSundaram View PostDo you have an example of C <-> Rust language binding causing security issues that wasn't otherwise an inherent security vulnerability?
If you want to find specific examples, perhaps check out a number of Rust memory checking tools. Here is one from 2021: https://www.micahlerner.com/2021/10/...tem-scale.html
264 memory safety bugs and 76 CVEs.
There is also Miri: https://github.com/rust-lang/miri#bugs-found-by-miri
You could argue that these bugs aren't really Rust's fault. It is where it connects to C that the problem arises. I absolutely agree but it *does* need to connect to C. There is no way around that if you plan to do anything useful with Rust. This unfortunately is a slight weakness of Rust (and every other language that is not C. Even C <-> C++ bindings can be a main source of memory issues if the order of deletion from RAII is not carefully considered).
Originally posted by RahulSundaram View PostIn any case, that doesn't seem to apply here, BoringTun is a pure Rust implementation although it does offer bindings to be called from C which itself is safe to do.
The question is, which one is safer?
1) Rust being the safer language but losing type safety "around the edges" of the underlying system
2) C bring a less safe language but keeping type safety and simplicity when interacting with the underlying system
Both remain to be seen. Rust is still relatively young but projects such as BoringTun are the best way to get a feel for which approach is ultimately better.
Of course if a platform could be developed from the ground up in Rust (i.e RedoxOS is very close), then I do believe Rust to be the clear winner. However in mixed environments, everything is so much messier when interweaving different languages.Last edited by kpedersen; 08 March 2022, 01:47 PM.
Comment
-
Originally posted by kpedersen View Post
The question is, which one is safer?
- Likes 1
Comment
-
Originally posted by kpedersen View Post
You could argue that these bugs aren't really Rust's fault. It is where it connects to C that the problem arises. I absolutely agree but it *does* need to connect to C. There is no way around that if you plan to do anything useful with Rust. This unfortunately is a slight weakness of Rust (and every other language that is not C. Even C <-> C++ bindings can be a main source of memory issues if the order of deletion from RAII is not carefully considered).
Originally posted by kpedersen View PostYou can't implement a userland version of wireguard without accessing the TCP stack (API in C)!
EDIT: and a nit, WireGuard uses UDP, not TCP. You should never, ever, use TCP for encapsulation of IP unless you want catastrophic delays whenever a TCP-over-TCP packet is lost in transit.Last edited by sinepgib; 08 March 2022, 02:26 PM.
- Likes 1
Comment
-
Originally posted by sinepgib View PostAs long as you statically link, the only calling conventions you need to keep are the ones that interact with the kernel in one way or another (process bring up, syscalls, etc). Note you need to use unsafe to send the int 80h call. But it's still no C.
Originally posted by sinepgib View PostYou absolutely can. What really matters is the syscalls. Syscalls aren't just a regular C call, you set some registers (and IIRC stack data?) and send an interrupt. You can do all that in pure Rust. All POSIX implementations are essentially wrappers around syscalls, there's no magic that forces you to go through their APIs.
In fact, some operating systems don't even allow direct syscalls. I remember this occuring with golang and OpenBSD not too long ago (https://github.com/golang/go/issues/36435)
Originally posted by sinepgib View PostEDIT: and a nit, WireGuard uses UDP, not TCP. You should never, ever, use TCP for encapsulation of IP unless you want catastrophic delays whenever a TCP-over-TCP packet is lost in transit.
Originally posted by RahulSundaram View PostI don't think this particular question is as seemingly as much up in the air, there are several major organizations already using mixed language environments including Rust and the evidence all points clearly in one direction, academic research that demonstrated that with prior art languages like Cyclone would still be relevant here.
But... it is changing. Safety is becoming more of a focus (thankfully!). C++ is annoyingly focused on "zero overhead" and screw safety. Smart pointers are only half-safe and can still be made to dangle "this". So C++ is close but will never reach a satisfactory amount of safety. I am thankful for Rust to at least keep the pressure up in terms of safety.
My personal opinion is that the safe language that will come to save us all must be a superset of C rather than a new language entirely that needs bindings but admittedly this is simply an educated guess based on my experience. Perhaps if a tiny C compiler could be bolted onto Rust (similar to Zig and Golang) we might be close.Last edited by kpedersen; 08 March 2022, 04:24 PM.
Comment
-
Originally posted by kpedersen View PostYes but no implementation would do this. It will bind against C. They will do this because it is still safer than the alternative. So the safety is either limited by binding against C or an even less safe solution unfortunately.
Originally posted by kpedersen View PostAgain, they wont implement it like this. They will go through libc and POSIX C API.
In fact, some operating systems don't even allow direct syscalls. I remember this occuring with golang and OpenBSD not too long ago (https://github.com/golang/go/issues/36435)
Originally posted by kpedersen View PostYes, good point I should have generalized it more. Actually, I wonder if it doesn't use raw sockets rather than even UDP. Admittedly not looked into it so much.
Originally posted by kpedersen View PostMy personal opinion is that the safe language that will come to save us all must be a superset of C rather than a new language entirely that needs bindings but admittedly this is simply an educated guess based on my experience. Perhaps if a tiny C compiler could be bolted onto Rust (similar to Zig and Golang) we might be close.
- Likes 1
Comment
-
Originally posted by sinepgib View PostA superset of C cannot be made safe. The moment you can build C as is, you can build unsafe code. You can make easier to do the right thing by extending C, but you can't make C inherently safer by doing that. If you want safety, you _need_ to make unsafe code explicit to the compiler, and that necessarily breaks most C code.
- Likes 5
Comment
Comment