Quick rant about memory safety and #WebAssembly
-
-
First off, what *is* memory safety? It's a slippery term but there's at least two core principles:
1 reply 0 retweets 5 likesShow this thread -
- Temporal safety: No allocation can be accessed after it is freed (failure mode: use-after-free)
1 reply 0 retweets 12 likesShow this thread -
- Spatial safety: No reference to an allocation can be used to access memory outside the allocated range (failure mode: buffer overflow)
1 reply 0 retweets 10 likesShow this thread -
#WebAssembly is memory safe because a module instance allocates all of its memory at once, and is bounds checked, it enjoys the two properties. A good way to think is: "The Module object is memory safe". wasm protects the surrounding system from whatever the wasm code is doing.1 reply 0 retweets 9 likesShow this thread -
While wasm is memory-safe, your code, compiled to wasm, may not be.
1 reply 0 retweets 15 likesShow this thread -
If you compile old openSSL to wasm via emscripten, it's still vulnerable to heartbleed!
1 reply 1 retweet 18 likesShow this thread -
When you compile C code to wasm, it has its own notion of allocation (malloc). All heap allocations happen within the Wasm linear memory, with nothing to enforce the boundary between allocations or to prevent use-after-free. Just like when you normally write C.
1 reply 0 retweets 19 likesShow this thread -
Unfortunately, memory-safety in C is not something we can always verify statically, it's a dynamic property of the program which means enforcing it has cost. With the use of "page-table magic" we can get these properties with middling but not awful overhead. See "Oscar" from UCB
2 replies 0 retweets 7 likesShow this thread -
But in wasm, we don't have access to page table syscalls. The memory model is much simpler. And so, wasm is actually a step backward for memory-safe C code. Languages like
#rustlang that provide static guarantees, can produce performant memory safe programs in wasm.5 replies 2 retweets 21 likesShow this thread
Don’t take it the wrong way, languages designed to be memory safe are a huge deal from a security perspective. But they don’t make other mitigations unnecessary.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.