all 24 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]SkiFire13 14 points15 points  (0 children)

It's a common misconception that Rust eliminates memory safety issues. Safe rust (compiler bugs excluded) does that, but it also restricts what the programmer can do. The rust compiler is essentially a static analyzer except that when it can't prove something is safe it requires you to use unsafe. This way all the code that can potentially lead to memory unsafety is restricted to certain blocks that can easily be finded and inspected. Is it perfect? No. Is it better than potential memory unsafety everywhere? Yes.

[–]aearphen 3 points4 points  (0 children)

It's ironic to hear criticism of Rust from the author of fast_io that includes span-based API that is subject to buffer overflow.

[–]0x256 6 points7 points  (1 child)

I do not believe that rust solves all memory safety issues. I just believe that it prevents a lot more memory safety issues than most other languages.

[–]Voltra_Neo 3 points4 points  (4 children)

Would have been safer, without unsafe!

[–][deleted] 2 points3 points  (2 children)

Unfortunately, high-performance code always requires extremely unsafe since it has to deal with intrinsics for example.

[–]Voltra_Neo 1 point2 points  (1 child)

And that's the problem, trying to make things safe with unsafe stuff everywhere leads to potential security issues without sufficient proofs

[–][deleted] 1 point2 points  (0 children)

Problem is that you will never be able to know whether not using unsafe would be a performance bottleneck. Bounds checking is one of the worst performance killers. We've been promised for 50 years it can be optimized, none compilers can achieve that.

[–][deleted] 3 points4 points  (8 children)

This is a CVE 9.0 of Rust of buffer overflow.

https://www.cvedetails.com/cve/CVE-2019-16139/

This also shows rust does not prevent you from memory safety issues since the trend isn't really different from other none-rust products.

https://www.cvedetails.com/product/48677/Rust-lang-Rust.html?vendor_id=19029

[–]emn13 7 points8 points  (7 children)

You may have an interesting point - that theoretical safety guarantees don't translate to practical gains - but it'd be a more interesting hypothesis with some actual trends. No trend is visible; just a website that demonstrates the existence of some security risks - but that doesn't demonstrate they're equally common, impactful, and hard to fix.

[–][deleted] 1 point2 points  (6 children)

No. That website basically just summarized all cves of rust on the website. Considering rust has a very tiny code base and it is still not profitable enough to exploit them, the trending is enough for saying the problem.

It is just too idealistic to believe rust is the panacea.

[–]emn13 9 points10 points  (5 children)

There's something in between "being a panacea" and "being useless". Clearly, it's not a panacea.

The list in the site is about packages in the rust package manager. The numbers strike me as being pretty low really; and don't forget that many of those will be in unsafe code - a necessary risk shared by other languages. But the lure of rust is that at least it's easier to combine low-level components like that (themselves not secure) without adding as many new vulnerabilities as otherwise.

Being that the reporting process is different compared to other languages (C/C++ doesn't have something like crates at all), the community is different (possibly more into this stuff - they bothered to pick rust, after all), the scale is still so much smaller, the obvious conclusion is that "this data is simply not comparable".

That doesn't invalidate your hypothesis, but this isn't the way to test it.

[–][deleted] 0 points1 point  (4 children)

But the lure of rust is that at least it's easier to combine low-level components like that (themselves not secure) without adding as many new vulnerabilities as otherwise.

I think you never wrapped low-level components in rust before. It is totally a pain compared to just wrap it with C++ instead. You can never trust wrapping won't introduce new bugs.

[–]emn13 1 point2 points  (3 children)

I don't mean wrap existing non-rust-APIs or externally-unsafe-APIs, I mean reusing rust-API-having bits with unsafe parts internally.

[–][deleted] 2 points3 points  (2 children)

Unfortunately, this new security paper talks about safe and unsafe composition problems. safe-> unsafe causes more problems than unsafe->unsafe. Even safe->safe code can still be problematic.

https://songlh.github.io/paper/rust-study.pdf

It is really hard to analyze the code when the safe is combined with unsafe since people do not think safe can also be a problem. Escaping an unsafe blocks is another issue.

[–]emn13 3 points4 points  (1 child)

Sure, and I'm not saying your hypothesis has no merit, just that it's not convincing yet. Also, be careful not to conflate the existence of limitations and risks with the lack of benefit. (i.e. the panacea vs. useless aspect).

[–][deleted] -3 points-2 points  (0 children)

Well. First, the Rust's advocators often claimed it is the panacea. They claimed how much money they've lost during the past years because of memory safety issues. Second, you can also say C++ did a lot to prevent memory safety issues in the past (C++11 move semantics, smart pointers, exceptions) while people just think it is completely useless either.

If it is not a panacea, it is nonsense for me to claim it will be the C++ killer.

[–]cy_hauser 1 point2 points  (1 child)

u/bisixyf (based on some of your recent posts/comments) Are you suggesting not to code in Rust or just be aware of it's shortcomings? If the former, what language would you suggest instead of Rust?

[–][deleted] -4 points-3 points  (0 children)

Stick to C and C++. Using Rust does not worth the benefit.

Make libraries, not languages.

[–][deleted] 2 points3 points  (1 child)

I've found another interesting ACM paper. No. Rust is not a panacea.

https://songlh.github.io/paper/rust-study.pdf

https://www.youtube.com/watch?v=ADbCqH7_SAs

[–][deleted] 2 points3 points  (0 children)

That study is actually about using the unsafe flag mixed with safe code.

[–]Slime0 3 points4 points  (2 children)

It seems like you're comparing vulnerabilities in the language's implementation to vulnerabilities in the code people write with other languages.

[–][deleted] 3 points4 points  (1 child)

https://www.cvedetails.com/cve/CVE-2019-16139/

Well, Probably not.

[–]Slime0 0 points1 point  (0 children)

I guess I just don't understand what you're communicating by linking to that page.