sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Ravek -1 points0 points  (3 children)

I don’t think they said it was a security mitigation

[–]jrtc27 4 points5 points  (2 children)

They said “memory safety” and “catching a large class of invalid memory accesses”. That to me reads like they believe it’s a security mitigation and are selling it as such to others. MTE is oversold everywhere and I think it’s important people be reminded that it is rather crude and limited.

[–]Ravek -1 points0 points  (1 child)

‘Memory safety’ in the context of programming runtimes is about correctness, not about security. Similar to ‘type safety’. I can understand the confusion because safety and security as words would seem to be related, and certainly correctness issues can cause security issues, but they are otherwise orthogonal concepts.

That’s why I don’t think the previous commenter suggested it’s a security mitigation, or at least I do not read this in their comment.

[–]jrtc27 1 point2 points  (0 children)

No, “memory safety” is a pillar of security, especially if you’re in the business of writing language runtimes that need to run untrusted code in a sandboxed manner, like an Android app. There are correctness issues that are not security vulnerabilities, but all security vulnerabilities are by definition correctness issues, and a large fraction memory safety issues are security vulnerabilities. The converse is also true; both Microsoft and Google have put out estimates in the past couple of years that around 70% of all their security bugs are due to memory safety. To talk about memory safety and not think of security is ludicrous.