Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

Separately from using a memory safe language for most of the code, device drivers usually do not need to run in a privileged context. They can be run in an isolated process with the IOMMU containing the hardware. Exploiting a network driver shouldn't compromise a whole system.

This Tweet was deleted by the Tweet author. Learn more

Replying to

Even before IOMMU existed, the programming model of letting drivers setup DMA themselves rather than going through a safe public interface that could have imposed IOMMU on them with no source-level changes was bad design.

This Tweet was deleted by the Tweet author. Learn more

Replying to

iOS implements TCP/IP in userspace and most operating systems have drivers at least partially implemented in userspace. Many of the secondary processors in a computer run a microkernel with isolated components. Most smartphones have *at least* one L4 implementation in them.

Replying to

You talk about microkernels / isolated drivers and memory safe languages as if they're not already been broadly used in the wild. Most code is written in memory safe languages these days. Systems code is increasingly moving to them too. Kernels and drivers are *mostly* not yet.

This Tweet was deleted by the Tweet author. Learn more

Replying to

Java is a traditional example of a type / memory safe language. It has a very poor quality type system, like C, and it's not good at safety beyond memory safety. It can't do automatic integer overflow checking either, but at least it doesn't lead right to memory corruption bugs.

Replying to

Most languages are memory safe. That's not a unique thing about Rust. The unique aspect is that it's a memory safe low level language encoding ownership and lifetime concepts into the type system rather than relying on garbage collection or pervasive automatic reference counting.

9:47 PM · Apr 17, 2019Twitter Web Client

Replying to

Swift takes the approach of pervasive automatic (atomic) reference counting. Android heavily uses Java for much of the systems code on top of the kernel and drivers. iOS is increasingly using Swift for that. Most OS services above the kernel don't need a low-level language.

Replying to

Go is only 95% memory safe since unlike Rust it still has data races and unlike Java it doesn't enforce the guarantee that data races can't lead to memory corruption. However, in practice, Go code is memory safe, and it's guaranteed to be when the runtime is using one OS thread.