[benwilber0]

> I probably would have gone for turning the UaF into an type confusion style attack

I'm aware that Linux is nearly 40 years old at this point, and C is even decades older. But it is mind-boggling to me that we're still talking about UAFs and jumping from dangling pointers to get privileged executions in the 21st century.

(rewrite it in Rust)

[pjmlp]

That was obvious to C.A.R Hoare in 1980, should have been obvious to the industry after the Morris worm in 1988, yet here we are, zero improvements to the ISO C standard in regards to prevent exploits in C code.

[musicale]

Multics (written in PL/I) didn't suffer from buffer overflows. Ada was (and is) memory safe. Pascal had (and still has) range checks and bounded strings.

But we do have -fbounds-safety in clang (at least on macOS).

[snarf_br]

What's stopping you from doing just that? Looking forward to your linux-rust kernel.

[enigma101]

Never if anything remove Rust from linux!

[Ygg2]

Nonsense, the C guy told me those happen to people that make mistakes, and that he, being the offspring of the Elemental of Logic, and "Hyperspace cybernetic intelligence and juvenile delinquent John Carmack" is completely immune to such pathetic issues. He works at Linux. Yes, all of Linux.

[uecker]

Yes, we need a languages that makes it impossible. But how could this happen in Rust? https://github.com/advisories/GHSA-5gmm-6m36-r7jh But clearly, this does not count because it used "unsafe", so it remains the programmer's fault who made a mistake. Oh wait, doesn't this invalidate your argument?

[mkj]

A random 16 star github repo using unsafe doesn't really tell anyone much.

[Ygg2]

> Oh wait, doesn't this invalidate your argument?

Not really. If you can't be perfect, at least be good.

Unless you want to make an argument that searching all of your code base for UB is better than running on a relatively small subset (20-30%).

Or that Linux should use tracing GC + value types. Which I would find decent as well. But sadly LKML would probably disagree with inclusion of C# (or Java 35).

[uecker]

You can't be perfect. The question is how much improvement "rewriting in Rust" actually brings, how important that is, and what downsides it may have.

[throwawayqqq11]

Another, way more impertant question is, can we keep maintaining legacy C code in community driven FOSS projects, when the world moves on.

[uecker]

Does the world really move on? I think HN could be misleading here. And is moving to evermore complex solution the right answer to mainentance problems? I doubt it.

[eru]

If you really want, you could write your code in Agda or similar and prove it correct. See also seL4 https://github.com/seL4/seL4 which is a proven correct kernel.

https://sel4.systems/Verification/proofs.html

[uecker]

... written in C.

[eru]

It's written in C in the same way it's written in assembly:

C is just used as part of the process to go from a high level spec to executable code.

You can also compile eg Haskell via C.

The subset of C used in seL4 is highly constrained.

[johnnyjeans]

a subset of C is provable, and is the de-facto standard in the industry.

what is it with rust people and thinking robust, automatic correctness checking was invented in the last 20 years?

[immibis]

Proven correct C

[uecker]

The last version of C is ISO C 23. I also do believe that rewriting in Rust is the best way to address memory safety in legacy C code and not even for new projects, nor do I think that memory safety is the most pressing security problem.