Stance on memory-safe languages
Most of the security vulnerabilities those days in operating systems are related to memory corruption issues, due to the fact that all the major ones are written either in C or in C++.
Marek Marczykowski-Górecki, project lead of Qubes, gave a talk at the Xen Developer and Design Summit 2019, entitled “A Journey to Mirage OS as Xen PVH”, about running Mirage OS on Unikraft, as well as the advantages of running a minimal operating system written in a memory-safe language as a firewall in a highly-secure computing context.
I would be more interested in a proposal to move parts of QEMU to Rust, or just about anything else except C++…
In August 2016, Linus Torvald said:
I’m not convinced about Rust for an OS kernel (there’s a lot more to system programming than the kernel, though), but at the same time there is no question that C has a lot of limitations.
In 2017, Google published crosvm:
This component, known as crosvm, runs untrusted operating systems along with virtualized devices. No actual hardware is emulated. This only runs VMs through the Linux’s KVM interface. What makes crosvm unique is a focus on safety within the programming language and a sandbox around the virtual devices to protect the kernel from attack in case of an exploit in the devices.
Microsoft published in July 2019 a blogpost stating its interest and Rust, and encouraging others to take a serious look at it.
But in December 2017, Theo de Raadt said:
As a general trend the only things being written in these new languages are new web-facing applications, quite often proprietory or customized to narrow roles. Not Unix parts.
Right now, there are zero usage cases in the source tree to require those compiler tools. We won’t put a horse into the source tree when society lacks cart builders.
However there is a rampant fiction that if you supply a new safer method everyone will use it. For gods sake, the simplest of concepts like the stack protector took nearly 10 years for adoption, let people should switch languages? DELUSION.
Such ecosystems come with incredible costs. For instance, rust cannot even compile itself on i386 at present time because it exhausts the address space.
Consider me a skeptic – I think these compiler ecosystems face a grim bloaty future.
It seems that OpenBSD is going against the tide here, actively rejecting memory-safe languages, despite some outsiders, like Sebastien Marie, the Rust maintainer in OpenBSD, who’s doing a great job to make it work there, since it’s now a requirement for Firefox.