Stance on memory-safe languages
Most of the security vulnerabilities those days in operating systems are related to memory corruption issues, due to the fact that all the major ones are written either in C or in C++.
Of course, Rust, Go, OCaml, Ada and their friends aren’t the silver bullet, they can still have crashes and logical bugs, but a least mistakes will no longer systematically lead to an RCE.
Marek Marczykowski-Górecki, project lead of Qubes, gave a talk at the Xen Developer and Design Summit 2019, entitled “A Journey to Mirage OS as Xen PVH”, about running Mirage OS on Unikraft, as well as the advantages of running a minimal operating system written in a memory-safe language as a firewall in a highly-secure computing context.
In March 2016, Peter Maydell, core developer of QEMU, said:
I would be more interested in a proposal to move parts of QEMU to Rust, or just about anything else except C++…
In August 2016, Linus Torvald said:
I’m not convinced about Rust for an OS kernel (there’s a lot more to system programming than the kernel, though), but at the same time there is no question that C has a lot of limitations.
In 2017, Google published crosvm:
This component, known as crosvm, runs untrusted operating systems along with virtualized devices. No actual hardware is emulated. This only runs VMs through the Linux’s KVM interface. What makes crosvm unique is a focus on safety within the programming language and a sandbox around the virtual devices to protect the kernel from attack in case of an exploit in the devices.
Microsoft published in July 2019 a blogpost stating its interest in Rust, and encouraging others to take a serious look at it.
OCaml is available in OpenBSD since August 2006, Go available and supported since November 2014, like ADA, and finally, Rust landed there in 2015.
But in December 2017, Theo de Raadt said:
As a general trend the only things being written in these new languages are new web-facing applications, quite often proprietory (sic.) or customized to narrow roles. Not Unix parts.
Right now, there are zero usage cases in the source tree to require those compiler tools. We won’t put a horse into the source tree when society lacks cart builders.
However there is a rampant fiction that if you supply a new safer method everyone will use it. For gods sake, the simplest of concepts like the stack protector took nearly 10 years for adoption, let people should switch languages? DELUSION.
Such ecosystems come with incredible costs. For instance, rust cannot even compile itself on i386 at present time because it exhausts the address space.
Consider me a skeptic – I think these compiler ecosystems face a grim bloaty future.
The rest of the thread is full of people piling up hilarious anecdotes and made up things on why Rust and other memory-safe languages are terrible.
The 10th of October 2022, the Linux kernel started to some parts written in Rust.
It seems that OpenBSD is going against the tide here, actively rejecting memory-safe languages, despite some outsiders, like Sebastien Marie, the Rust maintainer in OpenBSD, who’s doing a great job to make it work there, since it’s now a requirement for Firefox.