We know how to write software with decent security and these kinds of capabilities. It's not a mystery. We choose to use software architectures and languages making it unrealistic to provide decent security. Even if you claim that it's due to programmer incompetence, not tools...
Conversation
... then clearly there are near 0% competent C programmers. The whole point of safer tooling is that humans aren't being trusted to never make a mistake or miss something. It's extremely hard to right completely correct software and those bugs should not be remotely exploitable.
2
2
5
You only need to be highly competent at C if you're writing attack surfaces. Otherwise you just need to be very clear that your code is not intended to be used anywhere where it's an attack surface.
3
Such code is even usable with untrusted data, if you run it in a safe privilege context. For instance seccomp sandbox, container sandbox, wasm, a virtual machine, ...
1
... unless it can communicate back to the attacker, in which case you can use that RCE to exfiltrate data via side channels, no?
1
Obviously it has access to any bugs, including hardware-level ones, in whatever sandbox model you use. But cross-process Spectre etc. are possible to mitigate completely. You can also deny access to time to make them all impossible.
1
An attacker with arbitrary native code execution is in a powerful position even within a very tight sandbox. That's drastically more attack surface than a well implemented file format handling library which can of course be used inside a sandbox just like an insecure one.
1
3
Spawning a fresh sandboxed process for every single file is needed if that's the only way you implement a security boundary too. Reusing a sandboxed renderer across security boundaries (different files) is bad since they can insert evil data elsewhere.
1
2
Processes are ridiculously cheap. A few microseconds. It's the startup of awful runtimes, not process creation or execve, that's expensive.
1
1
I should note that memory safe comprehensive implementations of PNG already exist and are widely used in the Rust ecosystem, so this is kind of an academic debate
2
1
That's my point. There are options available with decent security, and that can be combined with a sandbox if desired (although this case is way too simple to have much value) rather than just giving up on preventing arbitrary code execution and exposing far more attack surface.