Memory Safety with Yael Grauer

Yael Grauer joined Bryan, Adam, Steve Klabnik, and the Oxide Friends to talk about her recent Consumer Reports article on memory safety and memory safe languages. How do we inform the general public? How do we persuade practitioners and companies? Thanks for joining us, Yael!In addition to Bryan Cantrill and Adam Leventhal, we were joined by special guest Yael Grauer, and Steve Klabnik.Some of the topics we hit on, in the order that we hit them (experiment in turning the show live-chat into notes):Nahum: https://www.backblaze.com/blog/the-3-2-1-backup-strategy/ if anyone wants to read up on the 3-2-1 Backup strategy. 👅Cyborus: can we get a link to the talk?Nahum: https://www.youtube.com/watch?v=Q9s2NxILBK8Nahum: https://digital-lab-wp.consumerreports.org/wp-content/uploads/2023/01/Memory-Safety-Convening-Report-.pdf via https://digital-lab-wp.consumerreports.org/2023/01/23/new-report-future-of-memory-safety/Nahum: https://en.wikipedia.org/wiki/Pegasus_(spyware)Cyborus: "can we talk" => "hey. you. have a panic attack. anyways i got a cool sandwich"AaronW: "of course we should have seatbelts" 😄MattCampbell: but then you've got the C die-hards who say that Rust itself is too complexAaronW: https://twitter.com/markrussinovich/status/1571995117233504257?s=46DanCrossNYC: People used to say the same thing about PL/I and recently the COBOL people have been saying the same thing. Nothing new under the sun.statuscalamitous: https://blog.yossarian.net/2023/02/11/The-unsafe-language-doom-principleDanCrossNYC: People who still want to treat C as a high-level assembler are saying the same stuff the PL/I people were saying when I was young.Eric Likness - carpetbomberz.com: In support of Yael, Ralph Nader wasn't/isn't an automotive engineer and he could still argue for lowering safety risks to car buyers. It's advocacy.cdaringe: As an ocaml user, i was hoping revery would take off https://github.com/revery-ui/reverystatuscalamitous: https://press.princeton.edu/books/hardcover/9780691174952/the-tyranny-of-metricsSaethlin: Wake up babe, new 0xide reading assignment droppedAaronW: Labelled like a can of pringles -- "20% more malloc() free()!"Nahum: Relevant to rules based accounting: https://www.schneier.com/blog/archives/2023/02/hacking-the-tax-code.htmldrew: Rigorous definitions of “unsafe code” just wont cut it igig: 40% less direct pointer arithmetic than the leading brand of operating systemsa172: How does principle based accounting even work? Like, how do you define if something violates the principle or not, without just turning it back into rules based?Eden: Checkboxes are meaningful for operational checklists. Aviation and medicine use them pretty heavily. Not so meaningful for systemic work like developing a new aircraft or a new surgery.Eden: So I guess a rules-based approach works for lines of code, but breaks down for project-level decisions such as which language to use.Saethlin: The S in IoT is for securitybenstoltz: ifixit repairability score for HW should have an analog for SW/FW.DanCrossNYC: That's precisely what the pl/i folks acted like 25 years ago.sam801: c++ will live on thru carbon, cppfront, and val.DanCrossNYC: Prediction: carbon is doa.Saethlin: I'll believe it once anyone uses thoseig: I think the other part is there's some really important pieces of software that everyone uses daily which use memory unsafe languages. Our web browsers, and our operating systems.AaronW: I live in a condo and I still unplug expensive electronics during a thunderstorm. Maybe it's because I had many electronics fried when I was young, and my first language was C++.Eric Likness - carpetbomberz.com: Same with answering a landline during a thunderstorm.DanCrossNYC: Had to stop training during thunderstorms in the Marines.Eden: My day job is security. 😉 I rail against compliance checklists on a regular basis because a lot of auditors insist on the checkbox rather than proper security consideration. For example, PCI-DSS requires password rotation, which everyone has known for decades leads to users picking worse passwords.alilleybrinker: https://www.usenix.org/system/files/sec22summer_alexopoulos.pdfstatuscalamitous: https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.htmla172: Google and Mozilla are making pretty good strides in migrating their browser to Rust. Still a ton of work to go, but entire systems have been moved to Rust.JamesBrock: "Lindy" https://en.wikipedia.org/wiki/Lindy_effectstatuscalamitous: https://security.googleblog.com/2021/04/rust-in-android-platform.htmlDanCrossNYC: Another issue with C/C++ in particular is that UB causes latent bugs to surface years later.alilleybrinker: In the paper linked above, the average lifetime looks to have been about 3.5 years.Saethlin: I learned Rust faster than C++alilleybrinker: Related, you might be interested in EPSS: https://www.first.org/epss/DanCrossNYC: Rust requires a bit of humility. For veteran C programmers, that can be a gut punch.srockets: “Compiler says no” is something that Haskell was proud of, but Rust is the first language I’ve seen that managed to get popular despite of italilleybrinker: Humility also requires a lot of Rust https://github.com/oxidecomputer/humilityEden: I do like the checklist item that every change must be...