In memory safe languages, they serve other purposes, such as controlling the Chomsky level of the parsed language.
-
-
Replying to @andreasdotorg
That's true, but for many cases that's not much of an issue. For example, with media decoding it doesn't really matter much.
2 replies 0 retweets 0 likes -
Replying to @CopperheadOS @andreasdotorg
Maybe an attacker could figure out a way to make an image displaying as a different image due to a bug in a decoder, etc.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @andreasdotorg
That's much different than local or remote code exec in context of the parser. Memory safety + no dynamic code prevents that.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @andreasdotorg
Parser generators save time, reduce bugs and CAN provide nice standard tooling but for security you mostly want mem safety.
2 replies 0 retweets 0 likes -
Replying to @CopperheadOS
If you're forced to work in an unsafe language, they provide a lot of extra protection, though.
1 reply 0 retweets 0 likes -
Replying to @andreasdotorg
At least if they provide those kinds of guarantees and a sane API for integration. Compiling safe lang to C would too.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @andreasdotorg
Ragel is really neat tool but really would not recommend using it with the C backend in anything that's meant to be secure.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @andreasdotorg
Also there are often better ways to do stuff... full blown parser generators or simply using regex (can be compile-time too).
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @andreasdotorg
Even regex can be a bad idea, since backtracking implementations don't provide the O(nm) guarantee that re2, etc. can do.
2 replies 0 retweets 1 like
I was about to comment that many regex libs are not regular anymore. :)
-
-
Replying to @andreasdotorg
re2 is actually regular and has a time complexity guarantee though, and so do the standard Go and Rust libs inspired by it.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @andreasdotorg
https://codesearch.debian.net/ uses an indexed variant of the full re2 regex dialect which is pretty cool...
0 replies 0 retweets 1 like
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.