undefined | Better HN

0 pointstptacek8mo ago0 comments

If that were the case, you'd be able to support the argument with evidence.

0 comments

You mean like the program in the article where code that never dereferences a non-pointer causes the runtime to dereference a non-pointer? That seems like evidence to me.

tptacekOP8mo ago

An exploit against a real Go program that relies on memory corruption.

sophacles8mo ago

I think your security background is coloring your perception of the term memory safety. Specifically the requirement that the various issues lead to exploitation. These issues can lead to many other issues that are not vulnerability in the security sense, e.g. data corruption, incorrect (but not insecure) behavior, performance issues, and more. I don't think any of those were ever dismissed or excluded from memory safety discussion. Infosec circles tend to evaluate most ideas in the context of (anti)exploitation, and the rest of programming tends to focus on what the cool kids argue (that is they often weigh security concerns higher than other issues as well), so the other problems caused by double-free or buffer overruns (etc) just may not have been given as much weight in your mind.

1 more reply

afdbcreid8mo ago

It should be possible to construct an exploit for such programs. But even for truly unsafe languages, vulnerabilities just from data races are very rare, because they are much harder to exploit.

You could argue Go is safe from memory vulnerabilities, and that'll be 99% correct (we can't know what will happen if some very strong organization (e.g. a nation-state actor) will heavily invest in exploiting some Go program), but it still isn't memory safe, as per the definition in Wikipedia:

> Memory safety is the state of being protected from various software bugs and security vulnerabilities when dealing with memory access, such as buffer overflows and dangling pointers.

1 more reply

Sharlin8mo ago

That’s called "moving the goal posts".

A definition of memory safety that permits unsoundness as long as nobody has exploited said unsoundness is not a definition that anyone serious about security is going to accept. Unsoundness is unsoundness, undefined behavior is undefined behavior. The conservative stance is that once execution hits UB, anything can happen.

tialaramex8mo ago

It's just a little airborne, it's still good

https://www.youtube.com/watch?v=1XIcS63jA3w

amluto8mo ago

https://github.com/golang/go/issues/34902

https://www.cloudfoundry.org/blog/cve-2020-15586/

I don’t see any evidence that anyone wrote an RCE exploit for this, but I also don’t see any evidence of anyone even trying to rule it out.

1 more reply

gf0008mo ago

Hide the same program into some dependency of a dependency and you have a nice little security vulnerability in your prod app. It's actually very easy to hide such a vulnerability as an innocent bug.

1 more reply

nemothekid8mo ago

This is no true Scotsman for programming languages.

I could also argue C is memory safe and all the exploits that have been made weren’t real C programs

j / k navigate · click thread line to collapse

0 comments

chowells8mo ago

You mean like the program in the article where code that never dereferences a non-pointer causes the runtime to dereference a non-pointer? That seems like evidence to me.

tptacekOP8mo ago

An exploit against a real Go program that relies on memory corruption.

sophacles8mo ago

1 more reply

afdbcreid8mo ago

It should be possible to construct an exploit for such programs. But even for truly unsafe languages, vulnerabilities just from data races are very rare, because they are much harder to exploit.

> Memory safety is the state of being protected from various software bugs and security vulnerabilities when dealing with memory access, such as buffer overflows and dangling pointers.

1 more reply

Sharlin8mo ago

That’s called "moving the goal posts".

tialaramex8mo ago

It's just a little airborne, it's still good

https://www.youtube.com/watch?v=1XIcS63jA3w

amluto8mo ago

https://github.com/golang/go/issues/34902

https://www.cloudfoundry.org/blog/cve-2020-15586/

I don’t see any evidence that anyone wrote an RCE exploit for this, but I also don’t see any evidence of anyone even trying to rule it out.

1 more reply

gf0008mo ago

Hide the same program into some dependency of a dependency and you have a nice little security vulnerability in your prod app. It's actually very easy to hide such a vulnerability as an innocent bug.

1 more reply

nemothekid8mo ago

This is no true Scotsman for programming languages.

I could also argue C is memory safe and all the exploits that have been made weren’t real C programs

j / k navigate · click thread line to collapse