Hacker News new | ask | show | jobs
by foldr 67 days ago
That's far from trivial in Rust because of 'unsafe' blocks. There are approaches to verifying unsafe code in Rust, but formally verifying a Rust program is still likely to be significantly more complex than formally verifying, say, a Java program.

(And before someone says it: no you don't only have to verify the small amount of code in 'unsafe' blocks. Memory safety errors can be caused by the interaction of safe and unsafe code.)
1 comments
pjmlp 67 days ago
At least you can grep for unsafe/system/unchecked in several alternative systems languages.

For C and C++, we have to hope the static analysis tool actually found all possible spots.

Despite the way it is going on as a drama between WG21 and community, C++ might eventually get Ada style profiles in C++29, lets see how it plays out.

Then you also would have something to grep for, [[profile:...]]

C? Same business as usual.

link
foldr 67 days ago
Grepping for unsafe blocks doesn’t help that much for formal verification, because you have to verify all of the code.

The easiest way to see this is to note that ‘unsafe’ itself doesn’t have any semantics, so it can’t possibly allow anything to be proved that couldn’t have been proved otherwise.

link
pjmlp 67 days ago
It helps finding locations for possible flaws outside the type system soundness.

Now if we go discussing formal verification in general, even something like Dafny or Lean may fail, if the proofs aren't correctly written for the deployment scenario.

Just like one may still die while wearing helmets, airbags, and security belts, yet the casualties amount is much worse without them.

link
foldr 67 days ago
It helps a human armed with only a tool as crude as grep. But if Rust didn't have the requirement to mark unsafe operations with the 'unsafe' keyword, that information could trivially be added back automatically. If you're doing correctness proofs of realistic Rust code, you'd better already have tools that are at least capable of looking through your codebase for any instances of raw pointer access, etc.

There's a lot of mythology around Rust unsafe blocks. They're a useful lint, but they don't alter the fundamental safety properties of the language.

link
pjmlp 66 days ago
The mythology of unsafe blocks goes all the way back to ESPOL on Burroughs, still sold nowadays by Unisys, for customers that want OS security as the number one feature, before anything else.

It was also adopted by several systems and application programming languages outside C geology, until C# came to be, which is probably the first curly brackets language with unsafe code blocks.

The first error naysayers make on the eyes of SecDevOps, thus losing credibility points, is to focus too much on Rust, and too little on history of secure systems.

The first fundamental rule is to reduce attack surface, on C, and C++ (until and if profiles come to be), it is all over the place.

I don't see folks that usually post on HN or Reddit going to buy Astrée licenses, or integrate Frama-C into their development process.

link
foldr 66 days ago
I am not sure what point you're trying to make. Who are the 'naysayers', and what are they saying 'nay' to? And what do they have to do with anything I commented on?
link