undefined | Better HN

0 pointsgroundzeros20151mo ago0 comments

> you need some part of your stack to be unexploitable.

Kernel level process isolation is extremely robust.

> If your attitude is that getting exploited doesn’t matter because your software is unprivileged

It’s not that exploits doesn’t matter. It’s that process architecture is a stronger form of guarantee than anything provided by a language runtime.

I agree that the place where rust is most beneficial is for programs that must be privileged and that are likely to face attack - such as a web server.

But the idea that you can’t securely use a C program in your stack or that rust magically makes process isolation irrelevant is incorrect.

0 comments

wat100001mo ago

How can process architecture be a stronger guarantee than anything provided by a language runtime when it is enforced by software written in a language?

You have a process receiving untrusted, potentially malicious input from the outside. If there’s an exploit then an attacker can potentially take control of the process. Your process is isolated, that’s good. But it can still communicate with other parts of your system. It can make syscalls. Now you’re in the same situation where you have a program receiving untrusted, potentially malicious input from the outside, but now “the outside” is your subverted process, and “a program” is the kernel. The same factors that make your program difficult to secure from exploits if it’s written in C also apply to the kernel.

I’m not sure where those ideas as the end of your comment came from. I certainly didn’t say them.

groundzeros2015OP1mo ago

> How can process architecture be a stronger guarantee than anything provided by a language runtime when it is enforced by software written in a language?

Please learn more about this topic. You don't understand OS security models.

j / k navigate · click thread line to collapse