For longer than I have existed, memory errors have plagued systems programming. Although many such errors are benign, sadly many end up being security vulnerabilities, or worse, exploits. In this talk, I will discuss how a security exploit is born, and how the Rust
programming language tries to prevent them.
2. A Little About Me
e ResearchAssociate @King’s College London
e Former postgrad of University of Kent.
e OpenBSD Developer (ports)
@ebarrett@mastodon.social @vext01
12. Memory Safety
* s ) {v o i d d o _ s t u f f ( c h a r
. . .
i f ( e r r o r )
f r e e ( s ) ;
}
i n t m a i n ( v o i d ) {
c h a r * s = m a l l o c ( 1 6 ) ;
s t r n c p y ( s , " h e l l o " , 1 6 ) ;
p r i n t f ( " s= ’ s’ n " , s ) ;
d o _ s t u f f ( s ) ;
p r i n t f ( " s= ’ s’ n " , s ) ; / / < - - Use a f t e r f r e e !
r e t u r n ( EXIT_ SUCCESS ) ;
}
13. Kinds of Memory Error
e Useafter free
e Double free
e Buffer overflow
e Dangling pointer
e Freeinganinvalidaddress
Experiencedprogrammers makethesemistakes!
14. Memory Errors = Undefined Behaviour
What should happen afterwards is notdefined!
e Program may continue to work OK (you got
lucky)
e Program may crash
e Program my continue, but behave differently
26. CVE Statistics: Cifuentes andBierman
For the five years from 2013 to 2017: 5,899
buffer errors
(That’s about 21%of the data)
Average total cost of a data breach:
US$3.86 million
27. Other Statistics: Alex Gaynor
https://alexgaynor.net/2019/aug/12/
introduction-to-memory-unsafety-for-vps-of-engineering/
28. Other Statistics: Alex Gaynor
A recent study found that 60-70% of vul-
nerabilities in iOS and macOS are caused
by memory unsafety.
Microsoft estimates that 70% of all vulnera-
bilities in their products over the last decade
have been caused by memoryunsafety.
Google estimated that 90% of Android vul-
nerabilities arememoryunsafety.
37. Rust’s Motivation
Rust’s rich type system and owner- ship
model guarantee memory-safety and
thread-safety, and enable you to eliminate
many classes of bugs at compile-time.
(+ performance + productivity)
38. Example: Use after Free in Rust
fn do_stuff(s: String) {
...
if error {
drop(s); // Not necessary.
}
}
fn main () {
let s = String ::from("hello");
println!("s=’{}’", s);
do_stuff(s);
println!("s=’{}’", s);
}
39. Example: Use after Free in Rust
e r r o r [ E0382 ] : borrow o f moved v a l u e : ‘s‘
l e t s
- - > s r c / m a i n . r s : 1 2 : 2 4
|
8 |
|
|
|
= S t r i n g : : from ( " h e l l o " ) ;
- move o c c u r s b e c a u s e ‘s‘h a s t y p e ‘s t d : :
s t r i n g : : S t r i n g ‘, which does n o t
i m p l e m e n t t h e ‘Copy ‘ t r a i t
d o _ s t u f f ( s ) ;
- v a l u e moved h e r e
p r i n t l n ! ( " s= ’{}’",
he r e
. . .
11 |
|
12 |
|
|
s ) ;
^ v a l u e borrowe d
a f t e r move
e r r o r : a b o r t i n g due t o p r e v i o u s e r r o r
45. The take away message
With Rust, memoryerrors canbe(mostly) athing
of the past.
46. The take away message
With Rust, memoryerrors canbe(mostly) athing
of the past.
https://pixabay.com/photos/thumbs -up-thumb-hand-positive-
47. What else is good about Rust?
e Pretty good performance.
48. What else is good about Rust?
e Pretty good performance.
e Goodstandard library.
49. What else is good about Rust?
e Pretty good performance.
e Goodstandard library.
e Goodand safemulti-threading support.
50. What else is good about Rust?
e Pretty good performance.
e Goodstandard library.
e Goodand safemulti-threading support.
e Pretty portable.
51. What else is good about Rust?
e Pretty good performance.
e Goodstandard library.
e Goodand safemulti-threading support.
e Pretty portable.
e Thriving community and ecosystem.
53. Any Downsides?
e Rust is quite hard to learn.
e
e
e
Ownership/lifetimes are unfamiliar.
Error messages hard to understand.
Large language.
54. Any Downsides?
e Rust is quite hard to learn.
e
e
e
Ownership/lifetimes are unfamiliar.
Error messages hard to understand.
Large language.
e Rust is still young and changing.
55. Any Downsides?
e Rust is quite hard to learn.
e
e
e
Ownership/lifetimes are unfamiliar.
Error messages hard to understand.
Large language.
e Rust is still young and changing.
e Compile-times canbeslow.
56. Any Downsides?
e Rust is quite hard to learn.
e
e
e
Ownership/lifetimes are unfamiliar.
Error messages hard to understand.
Large language.
e Rust is still young and changing.
e Compile-times canbeslow.
e Somethings arequite hard in “safe” Rust.
e unsafe keyword