When Firefox is implemented primarily in Rust I will be the first person encouraging everyone to switch.
Is it possible that, over time, this will change as Firefox's parallelism is written more in a language that is less subject to these vulnerabilities in the first place?
-
-
-
Is there a spectrum?
-
In what sense? (Probably there is?)
-
Does it have to be "primarily in Rust" or is there a crossing over point where the wins from reduced surface area overcome other factors?
-
I think a reasonable way to look at it is that between {CFG/CFI, JIT hardening, allocator hardening} and Rust, Rust is the superior antiexploit technology.
-
If Firefox can really ship a browser where most of the attack surface is implemented in Rust, Rust will pay off bigtime. But nobody working on FF will tell you they’re there, or really even that close, yet.
-
Agree. This is what I'm personally looking at, but I think they're humming along at a faster velocity than it looks like (or than they'd tell you; implementors are conservative, which is good).
-
When they get there, I’ll be cheerleading them right next to you. :)
- 1 more reply
New conversation -
-
-
More important in the short term are sandboxing wins, some of which are related to Quantum—e.g. WebRender moves CSS rendering out of process
-
In other words: It’s important that WebRender is Rust, but the *biggest* security win from it isn’t Rust—it’s that it runs out of process
-
Does Rust help make building this architecture easier?
-
It does, because
serde for IPC. One of the Pwnium vulns involved RCE via exploiting Chrome’s handwritten IPC code for out of process GPU. -
Does the way that threads isolate memory in Rust make transitioning things out of process more straight forward?
-
If your architecture is written in Rust, sure. That was how I got Servo to be multiprocess in the first place. (Not as applicable to Gecko)
-
We found this to be somewhat true when we migrated a lot of
@skylight into a daemon. I wonder whether some abstractions could be written to enable this more (like https://ruby-doc.org/stdlib-2.4.0/libdoc/drb/rdoc/DRb.html … for Ruby)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.