Conversation

This Tweet was deleted by the Tweet author. Learn more
Patrick Walton
@pcwalton
The issue is that generics are basically a requirement for memory safety without GC as Rust does it. Otherwise you can't create safe abstractions, which would mean that every time you want a linked list you have to write unsafe code. That would undermine memory safety.
2
15
This Tweet was deleted by the Tweet author. Learn more
Daniel Micay
@DanielMicay
Go is only memory safe if you force the runtime to use a single OS thread. It's not memory safe by default. It doesn't pay the price of providing safety in the presence of data races like Java. The built-in map and slice types don't maintain memory safety during data races.
1
7
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@pcwalton
It's both garbage collected and memory unsafe. If you think this isn't a real world issue and couldn't be exploited, you would be very wrong. The approach it takes makes data races common: pass-by-reference for mutable data structures that are memory unsafe when races occur.
1
6
Patrick Walton
@pcwalton
Replying to
@DanielMicay
I’ve had famous security people tell me that there is no way that issue could be exploited. I was skeptical but I was willing to concede the point at the time 🤷‍♂️
1
5
Daniel Micay
@DanielMicay
Replying to
@pcwalton
It's definitely exploitable. The chance of a successful exploit is likely very low in most cases, but an exploit can be targeted at a fleet of devices and even a 1/10000 chance of success is a massive problem. In many cases, there's process respawning allowing repeated attempts.
1
4
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@pcwalton
A failed attempt is going to trigger a panic, not a direct crash, so the Go program handling the panic and trying again or accepting more requests (depending on the environment) is also good enough to make it reliable for exploiting a specific host, which isn't always the goal.
1
2
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@pcwalton
Essentially what you would be doing is triggering an update of a map or slice from another thread (much more straightforward with a slice) and then triggering a read from another thread using it where the pointer and length don't match so the bounds check can be bypassed.
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@pcwalton
Go projects fix these kinds of data races without considering their existence to be a security issue, so it doesn't get much attention. If the attacker has some control, it's probably exploitable, and even if that only works in a fraction of cases where stars align it's an issue.
2
3