[lmm]

> Half those applications are going to have other classes of new bugs simply because it’s new code and they’ve had less people audit the code.

True. But most other classes of bug are not security bugs by default in the way that memory safety bugs are.

[laumars]

That’s not true at all. 2 of the 3 biggest security vulnerabilities I’ve had to deal with in my career were completely unrelated and wouldn’t have been prevented had software been written in Rust instead.

Also half the software mentioned in that gist should never be used in security-focused applications anyway (if your depending on ‘cat’ or ‘awk’ to be bug free for your application to be hardened then you’re already doing it wrong)

[lmm]

> 2 of the 3 biggest security vulnerabilities I’ve had to deal with in my career were completely unrelated and wouldn’t have been prevented had software been written in Rust instead.

The last study I saw was that 52% of security vulnerabilities were still basic memory safety vulnerabilities. Memory safety isn't the only thing, but it's still the biggest thing.

> (if your depending on ‘cat’ or ‘awk’ to be bug free for your application to be hardened then you’re already doing it wrong)

People run cat or awk on log files (where an attacker could easily craft particular data patterns) all the time. Maybe they shouldn't, but they do.

[laumars]

> The last study I saw was that 52% of security vulnerabilities were still basic memory safety vulnerabilities. Memory safety isn't the only thing, but it's still the biggest thing.

My point wasn’t that memory safety isn’t a big issue. It’s that it’s not the only cause of vulnerabilities. Assuming your 52% figure is accurate (and I’m happy to take your word on that) that still means that roughly half of all vulnerabilities are not memory safety. Which means your figure actually just reinforces my point.

> People run cat or awk on log files (where an attacker could easily craft particular data patterns) all the time. Maybe they shouldn't, but they do.

I think there’s enough obscurity there hidden from the attacker that such usage should be safe from all but the most determined of attacker. And even then, they’d likely need some other attack to probe for usage about what systems are listening to what logs and using which POSIX utils that you could argue the attacker already has the access they need without going to the pain of crafting an overflow bug in a log file.

Im not saying those bugs don’t exist nor shouldn’t be addressed, I’m just being pragmatic about their exploitability.

The bigger issue is CI/CD pipelines. Often they’re define in the same mono-repo as the source itself and they’ll have execution rights automatically because that’s literally their function as a build and test pipeline. But because said pipelines are already visible and already executable, you need to have greater controls around that pipeline to prevent abuse otherwise it’s already game over even without an overflow bug.

[lmm]

> Assuming your 52% figure is accurate (and I’m happy to take your word on that) that still means that roughly half of all vulnerabilities are not memory safety.

Sure, but that half is every other category of bug put together. I guess if your model is that every other class of bug will be significantly increased by a rewrite then maybe that logic makes sense, but that seems unlikely to me.

[laumars]

You’re making strawman arguments. None of the points you’re proving are anything I’ve disagreed with.

Try reading the thread again

[lmm]

You said "Half those applications are going to have other classes of new bugs simply because it’s new code and they’ve had less people audit the code", and when I pointed out that such bugs would most likely not be security bugs you responded by saying that many security bugs aren't memory safety bugs. You may not have intended to say what you said, but what I'm disagreeing with is what you said, not a strawman, and even if you were right your condescension would still be unwarranted.

[steveklabnik]

(The actual number is more than that, it’s roughly 70%. This number was reported by at least Microsoft and Chrome, among others. That roughly the same number has popped up across many large companies helps us gain confidence that it’s roughly correct, though obviously it’s not a law.)

[laumars]

The domain matters a lot here though. If you’re talking about bugs in Chrome then yeah, you’d expect it to be weighted towards buffer overflows. But if you’re taking about bugs in a build script someone has written, then I’d wager human error (given commands and have shells have a pretty esoteric syntax) are more of a problem — and certainly easier to exploit - than a buffer overflow in awk.

Don’t get me wrong, I’m all for writing stuff in safer languages (I personally haven’t touched C in years for that reason). But simply throwing Rust at the problem without assessing the risks is just as careless. In the case of most POSIX base utils, the risk isn’t buffer overflows, it’s people exposing internal tools to untrusted external users.

Take shellshock for example, that’s a prime example for just how careless people can be. And while there was patches to fix that vulnerability in Bash, people shouldn’t have been writing software that passed untrusted data to Bash in the first bloody place.

My point is: Security is a multi-layered problem. So by all means let’s pivot towards newer, safer, languages of it can remove an entire class of bugs. But let’s not pretend that rewriting the entire of POSIX in Rust is either practical nor the end of the discussion. And if we acknowledge it’s not, then we must also acknowledge there’s already things we can do to harden against our C++ utils today while those C++ utils are still a necessity.

This is why the Rust argument fucks me off. People expect too much from it and use it as an argument whenever other countermeasures should have been in place irrespective of the vulnerability that was inevitably used.

[bluGill]

I use cat and awk in my build system. I can imagine bugs in either that I wouldn't notice in general that would compromise my application. They are off the wall enough that I don't think they have ever happened, but my application is an embedded system that has the ability to kill people so I'm a little paranoid. (not so much that I don't use awk in my build system where it is a useful tool)

[laumars]

My point was if you’re exposing your build system to untrusted individuals inputting untrusted data then you’ve already lost the game. Rust won’t save you from a RCE bug because you’ve already granted them RCE from the beginning.

An overflow bug in awk is only exploitable if someone can craft input into awk. And if you’re allowing people to do that then you’ve already given them access to remotely run code without them needing a bug.

[staticassertion]

> My point was if you’re exposing your build system to untrusted individuals inputting untrusted data then you’ve already lost the game.

This is how the vast majority of build systems are configured. If I have owned a dev and can push code to a branch I can likely execute code in their build environment. If they then parse that build output with something like awk, that's attack surface.

Is it the first thing I'd try to attack? Nope. But I do wonder what the cumulative impact of every binary on your system being memory safe would be. I'd definitely feel better.

[laumars]

> If I have owned a dev and can push code to a branch I can likely execute code in their build environment.

But then you’re also executing that code as a trusted user. Ie the real hack is owning the dev.

> This is how the vast majority of build systems are configured.

No. The vast majority of build systems are either locked to private repositories, and/or a subset of developers, and/or run in an ephemeral sandbox.

> But I do wonder what the cumulative impact of every binary on your system being memory safe would be.

I’d already answered that. It’s negligible because if someone can exploit a buffer overflow in awk then they can already run arbitrary code in awk (remember, awk is a programming language). So if you’re not already taking precautions about who is running what on your build system and how running code is sandboxes then it’s not going to take a buffer overflow bug to RCE it.

[staticassertion]

> But then you’re also executing that code as a trusted user. Ie the real hack is owning the dev.

That's like saying the real hack is sending a phishing email, ignoring all privesc, lateral movement, etc.

> No. The vast majority of build systems are either locked to private repositories, and/or a subset of developers, and/or run in an ephemeral sandbox.

I didn't say otherwise. I said that the majority allow untrusted execution. If you consider your engineers laptops to be trusted you're thinking about networks the way people did ~10+ years ago.

> It’s negligible because if someone can exploit a buffer overflow in awk then they can already run arbitrary code in awk

This isn't true, but even if it were you can just replace awk with anything else that's not turing complete.

[bluGill]

There are more bugs than just overflow bugs. See reflections on trusting trust https://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-tho... for example.

[laumars]

That’s literally the point I’m making.