Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

Separately from using a memory safe language for most of the code, device drivers usually do not need to run in a privileged context. They can be run in an isolated process with the IOMMU containing the hardware. Exploiting a network driver shouldn't compromise a whole system.

This Tweet was deleted by the Tweet author. Learn more

Replying to

Even before IOMMU existed, the programming model of letting drivers setup DMA themselves rather than going through a safe public interface that could have imposed IOMMU on them with no source-level changes was bad design.

This Tweet was deleted by the Tweet author. Learn more

Replying to

iOS implements TCP/IP in userspace and most operating systems have drivers at least partially implemented in userspace. Many of the secondary processors in a computer run a microkernel with isolated components. Most smartphones have *at least* one L4 implementation in them.

Replying to

You talk about microkernels / isolated drivers and memory safe languages as if they're not already been broadly used in the wild. Most code is written in memory safe languages these days. Systems code is increasingly moving to them too. Kernels and drivers are *mostly* not yet.

This Tweet was deleted by the Tweet author. Learn more

Replying to

Java is a traditional example of a type / memory safe language. It has a very poor quality type system, like C, and it's not good at safety beyond memory safety. It can't do automatic integer overflow checking either, but at least it doesn't lead right to memory corruption bugs.

9:45 PM · Apr 17, 2019Twitter Web Client

Replying to

Most languages are memory safe. That's not a unique thing about Rust. The unique aspect is that it's a memory safe low level language encoding ownership and lifetime concepts into the type system rather than relying on garbage collection or pervasive automatic reference counting.

Replying to

Swift takes the approach of pervasive automatic (atomic) reference counting. Android heavily uses Java for much of the systems code on top of the kernel and drivers. iOS is increasingly using Swift for that. Most OS services above the kernel don't need a low-level language.

Show replies

This Tweet was deleted by the Tweet author. Learn more

Replying to

You're proving my point by linking to a list of bugs that are mostly in C code. Nearly all the serious bugs involve both major issues that I have talked about: memory unsafety and dynamic code execution. Also once again with the misleading and now dishonest CVE counting.

Show replies