[metajack]

Diane wrote an analysis of how many bugs would have been avoided had the Servo style system been in Gecko all along: https://hacks.mozilla.org/2019/02/rewriting-a-browser-compon...

"There’s a significant overlap between memory vulnerabilities and severe security problems. Of the 34 critical/high bugs, 32 were memory-related."

Rust doesn't fix everything, and this result won't hold for code that is itself security logic (ie, crypto implementation) as logic errors are also very bad. But fixing memory safety does address almost all the high and critical severity issues.

Microsoft published similar research: https://msrc-blog.microsoft.com/2019/07/18/we-need-a-safer-s...

Keep in mind that the Gecko style system has had two decades of work before the Rust code came along, and was written by some excellent programmers. It was extensively fuzzed for years. And still, Rust has enormous potential to solve these security issues.

Only time will tell if the next decade with Rust will pan out as the data seem to predict, but I am quite hopeful.

[im3w1l]

One question I have, since the JVM, Flash VM, and also Javascript VM seems to have occasional security issues - how confident are we that rustc bugs wont undermine the security of correctly written rust programs?

[gpm]

Confident, not because rustc is written better but because your comment confuses two types of bugs.

The bugs you're talking about in JVM, flash, and javascript implementations are bugs that allow malicious code to confuse the language implementation and break out of the programming language defined sandbox. Rust eliminates this class of bugs by not trying to sandbox anything in the first place :P.

If you did try and modify rustc to create that type of sandbox, you would fail, rustc is filled with the sort of bugs that allow malicious code to trick the compiler (largely as a result of using llvm as the backend).

However the bugs that would undermine the security of correctly written code are a different sort of bug. These are bugs where the compiler takes well defined non-exploitable code and miscompiles it to produce a program that when fed malicious input is exploitable. These bugs are much rarer, because the input to the compiler is not malicious so the compiler is much more likely (almost always) to be on the happy/correct path.