undefined | Better HN

0 points_vvhw3y ago0 comments

There is in fact a spectrum with respect to memory safety. For example, temporal vs spatial safety.

Furthermore, no language is “memory safe” in the absolute sense. For example, not even the borrow checker can protect you from buffer bleeds.

0 comments

AaronFriel3y ago

Despite the "How Safe is Zig"[1] blog post, it's false that there is a spectrum. A lack of temporal safety implies a lack of spatial safety, and vice versa.

If one can use a use-after-free, invalid write, time of check-time of use error to write a byte to an invalid location, the program's data structures are now in an inconsistent state, violating invariants required for "spatial safety" such as objects being the correct type, buffers and lengths being paired together correctly, etc.

Likewise, if one can accomplish a buffer overflow, a spatial safety violation, or an out of bounds write, then by definition they've made temporal violations as well. Writing objects out of bounds or arbitrary heap writes imply data races.

Offensive security folks use gadgets that exploit one to accomplish the other, as needed.

[1] https://www.scattered-thoughts.net/writing/how-safe-is-zig/

_vvhwOP3y ago

Thanks, that's a great insight!

Does it follow that the fact that temporal violations could be used to violate runtime spatial checks, therefore means that spatial safety in itself is entirely without value?

What are your thoughts also on buffer underflows? I ask since I take it you also work on offensive security.

AaronFriel3y ago

Alas, I don't work in offensive security but it's been a hobby of mine as an engineer to keep up to date. Some day, perhaps.

To be precise, I don't think the mitigations Zig has, which the author labels as "spatial safety", are entirely without value. Optionals & sum types, range checks are helpful.

Buffer underflows as in writing to negative indices? I wish I could go in a time machine and default early languages to saturating arithmetic instead of wrapping. Even Rust does wrapping arithmetic in release mode, in debug mode overflows will panic.

1 more reply

j / k navigate · click thread line to collapse

0 comments

AaronFriel3y ago

Despite the "How Safe is Zig"[1] blog post, it's false that there is a spectrum. A lack of temporal safety implies a lack of spatial safety, and vice versa.

Offensive security folks use gadgets that exploit one to accomplish the other, as needed.

[1] https://www.scattered-thoughts.net/writing/how-safe-is-zig/

_vvhwOP3y ago

Thanks, that's a great insight!

Does it follow that the fact that temporal violations could be used to violate runtime spatial checks, therefore means that spatial safety in itself is entirely without value?

What are your thoughts also on buffer underflows? I ask since I take it you also work on offensive security.

AaronFriel3y ago

Alas, I don't work in offensive security but it's been a hobby of mine as an engineer to keep up to date. Some day, perhaps.

To be precise, I don't think the mitigations Zig has, which the author labels as "spatial safety", are entirely without value. Optionals & sum types, range checks are helpful.

1 more reply

j / k navigate · click thread line to collapse