Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

No, that's not what he means. He's saying that an external file system should have a sandboxed filesystem driver, so that exploiting a bug inside it doesn't immediately grant complete control over the entire system and at least requires privesc to escape (likely via the kernel).

Replying to

Try reading the overview in events.linuxfoundation.org/wp-content/upl. Finding a Linux kernel vulnerability is not hard. Literally hundreds of bugs are found by syszkiller every month and many are not fixed. Most are memory corruption. There are simply too many to even fix all discovered bugs.

Replying to

yes, we don't need to debate the question "can people write memory safe code in C" the answer is overwhelmingly obvious to almost all of us

This Tweet was deleted by the Tweet author. Learn more

Replying to

Victor what is your interpretation of the results presented in the syzkaller slide deck?

This Tweet was deleted by the Tweet author. Learn more

Replying to

ok! so then would it be fair to say that you don't believe these bugs reflect any sort of shortcoming in the C language, but rather they all stem from ineptitude or a refusal to follow best practices?

This Tweet was deleted by the Tweet author. Learn more

Replying to

That's really not true. The vast majority of the Linux kernel doesn't inherently involve unsafe operations. The lack of safe abstractions (which cannot be made in C) lead to having pervasive unsafe code. It already makes many of these abstractions. C just can't enforce safety.

7:46 PM · Apr 17, 2019Twitter Web Client

Replying to

Using a memory safe language for a kernel does not mean you cannot implement these unsafe operations. It means that you implement them in contained unsafe code that exposes safe APIs. It's really not hard to understand how that works. These abstractions already exist in Linux.

Replying to

Linux kernel drivers are not doing things like directly copying userspace memory to the kernel. They're using abstractions, which in a memory safe language would be safe, but are unsafe due to C being unable to enforce memory safety. They do *try* to make safe abstractions.

Show replies