undefined | Better HN

0 pointstptacek14y ago0 comments

I really doubt that we'll be using programming environments where memory corruption is possible in 2040.

0 comments

17 comments · 2 top-level

adrusi14y ago· 14 in thread

someone's gotta write the kernels though, I can't think of any way to write kernels or compilers where memory corruption is impossible.

jerf14y ago

You don't write them in C. You write them in a not-yet-existing language that allows low-level, but safe, access. (Prototypes of this language certainly already exist, I'm not convinced any are ready for this level of prime time.) You probably also have some additional hardware support not yet existing. And while, yes, deep at the heart of the system there will be something or some set of somethings that, if screwed up, could do something like memory corruption, it will be made as small as possible, verified as rigorously as possible, and get the tar beaten out of it until it's as safe as humanly possible.

This will not be a security paradise, because there's plenty of other ways to screw up. Even if we magick a perfect capabilities-based system into existence in 2040, with every desirable property that is promised fully manifested, programmers will still fail to correctly use it, because security is profoundly a Hard Problem. But the same freaking buffer exploit for the ten millionth time should be a thing of the past. (Library support should also be well on its way to making cross-site scripting a thing of the past, too.)

tptacekOP14y ago

I definitely don't think that eliminating memory corruption vulnerabilities will produce security shangri-la. Most of the vulnerabilities we find every day aren't memory corruption.

1 more reply

wvyar14y ago

I'm personally unfamiliar with the languages you mention in the first paragraph. Would you mind linking to some information about them?

2 more replies

Arelius14y ago

In theory, it's possible to use a formally verified approach to ensure this can't happen, and there is a lot of research into that.

There is a version of the L4 microkernel that has been formally verified which should prevent memory corruption in kernel space, but I don't know the exact details.

This of course won't prevent corruption due to physical sources, such as radiation, but with physical access to a machine you will always be able to gain access.

comex14y ago

The first thing about L4.verified is that formal verification, while admirable, doesn't really matter, at least not in a world where exploits are commodities, exploitation a continuous process: if a program is only a few thousand lines long and written with attention to security, the number of vulnerabilities can at worst be counted on one hand, and attackers will find them all for you in short order. If you're Iran and have an attacker capable of pouring millions of dollars into a single hack, it might make a difference; if you're Microsoft, not so much.

The second thing is that while a microkernel (if used with an IOMMU to prevent a malicious driver from DMAing all over your code) appealingly prevents an attacker from exploiting a malloc overflow in some random network driver and immediately gaining full access to anything (the current state of kernel security!-- but performance is key), it doesn't prevent an attacker from using that network driver pwn to hijack the user's Facebook session; full access is appealing, but in a complex system there are many, many "lesser targets" that are just as bad from a user's point of view.

Microkernels and their little cousin sandboxing can help, but the resulting trusted computing base is still much, much larger than we can formally verify in the foreseeable future.

(A sibling of this comment mentioned Singularity, but that's a fairly different beast: instead of proving that fast code is safe, you try to make obviously (memory) safe code fast. The only reason Singularity is able to make interesting performance claims is that it uses verification to completely avoid system calls: pretty cool, but a NaCl-like kernel could do something fairly similar for C; it doesn't really change the correctness/performance tradeoff.)

2 more replies

gvb14y ago

The L4 microkernel was verified that it faithfully implemented the system specification. The system specification is written in (executable) Haskell. http://en.wikipedia.org/wiki/L4_microkernel_family#Current_r... So, how do they know the Haskell specification is correct???

I guess it's turtles all the way down. http://en.wikipedia.org/wiki/Turtles_all_the_way_down

1 more reply

wizzard14y ago

L4 was verified to the tune of about $4.6 million dollars, or $500 per line of code. And that's for a microkernel under 10 KLOC. And that's assuming no changes are made. Ever.

1 more reply

ktosiek14y ago

You can use a language with dependent types (types depending on values, so you can have arrays of type "array of 10 ints" etc.) - it adds some type-level work, but makes a lot of mistakes not even compile.

But complicated type systems are, unfortunately, rarely used in languages suitable for system programming. I only know about ATS in this group actually :-)

fusiongyro14y ago

Dependent typing is really neat, but it introduces some new problems. Namely, the type checker becomes Turing complete. We have other examples of this level of complexity turning out to be manageable (C++ templates, for example, and the Hindley-Milner algorithm which turns out to be super-exponential in the worst case) but the power of dependent typing is begging to be used and abused to a greater degree.

I have some hope for Rust because their type invariants system (I forget what they're calling it) lets you glue some of this information to variables in a compelling way without necessarily having to solve all the theoretical and practical problems that come with full dependent typing.

We'll see, I guess.

marshray14y ago

C can represent the type "array of 10 ints":

     int array[10];

But probably you meant runtime variable values.

2 more replies

sixcorners14y ago

Didn't Microsoft make an experimental kernel with managed code?

reginaldo14y ago

Indeed. It is the Singularity Research OS. Links: http://en.wikipedia.org/wiki/Singularity_(operating_system)

http://research.microsoft.com/en-us/projects/singularity/

zobzu14y ago

Note that managed code is just one feature of Singularity. They have many other important concepts (like SIPs).

Plan9 ain't bad either. There's also different C# clones (that aren't based on Singularity)

1 more reply

jstclair14y ago

IIRC, though you write in a managed language, it's jitted at install time so it doesn't run under a managed runtime.

xyome14y ago· 1 in thread

Here's a paper describing how to escape from a VM using memory errors. They're causing memory errors by putting a lit light bulb close to the memory chips:

http://sip.cs.princeton.edu/pub/memerr.pdf

Neat hack :)

rheide14y ago

This was a fascinating read. Thanks.

j / k navigate · click thread line to collapse

0 comments

17 comments · 2 top-level

adrusi14y ago· 14 in thread

someone's gotta write the kernels though, I can't think of any way to write kernels or compilers where memory corruption is impossible.

jerf14y ago

tptacekOP14y ago

I definitely don't think that eliminating memory corruption vulnerabilities will produce security shangri-la. Most of the vulnerabilities we find every day aren't memory corruption.

1 more reply

wvyar14y ago

I'm personally unfamiliar with the languages you mention in the first paragraph. Would you mind linking to some information about them?

2 more replies

Arelius14y ago

In theory, it's possible to use a formally verified approach to ensure this can't happen, and there is a lot of research into that.

There is a version of the L4 microkernel that has been formally verified which should prevent memory corruption in kernel space, but I don't know the exact details.

This of course won't prevent corruption due to physical sources, such as radiation, but with physical access to a machine you will always be able to gain access.

comex14y ago

Microkernels and their little cousin sandboxing can help, but the resulting trusted computing base is still much, much larger than we can formally verify in the foreseeable future.

2 more replies

gvb14y ago

I guess it's turtles all the way down. http://en.wikipedia.org/wiki/Turtles_all_the_way_down

1 more reply

wizzard14y ago

L4 was verified to the tune of about $4.6 million dollars, or $500 per line of code. And that's for a microkernel under 10 KLOC. And that's assuming no changes are made. Ever.

1 more reply

ktosiek14y ago

But complicated type systems are, unfortunately, rarely used in languages suitable for system programming. I only know about ATS in this group actually :-)

fusiongyro14y ago

We'll see, I guess.

marshray14y ago

C can represent the type "array of 10 ints":

     int array[10];

But probably you meant runtime variable values.

2 more replies

sixcorners14y ago

Didn't Microsoft make an experimental kernel with managed code?

reginaldo14y ago

Indeed. It is the Singularity Research OS. Links: http://en.wikipedia.org/wiki/Singularity_(operating_system)

http://research.microsoft.com/en-us/projects/singularity/

zobzu14y ago

Note that managed code is just one feature of Singularity. They have many other important concepts (like SIPs).

Plan9 ain't bad either. There's also different C# clones (that aren't based on Singularity)

1 more reply

jstclair14y ago

IIRC, though you write in a managed language, it's jitted at install time so it doesn't run under a managed runtime.

xyome14y ago· 1 in thread

Here's a paper describing how to escape from a VM using memory errors. They're causing memory errors by putting a lit light bulb close to the memory chips:

http://sip.cs.princeton.edu/pub/memerr.pdf

Neat hack :)

rheide14y ago

This was a fascinating read. Thanks.

j / k navigate · click thread line to collapse