If C gets Illegal ill invent something different than C, maybe with better tools for articulating Objects and Problems very fast.. I dont have a Name yet but because its based on C im thinking of something with a plus.
We still have ASM superpowers. And if ASM gets disallowed too, we'll just hide ourselves inside a Rust unsafe block and do very naughty things, like using the ASM macro. :P
Trump is going to come out for C. "Lots of hard working C miners here today. C is a great language. I've written a lot of C. Nobody writes more memory safe code than I do."
@@Kane0123 "C jobs built America. C powers everything. We love C here in West Virginia, folks. Not Biden. Rusty Joe they call him. They do call him that don't they? Sleepy and rusty."
"I here to use rust you have to identify as lgbtq+zxtruq and give up your guns, they say. Thats not going to happen in C, I wont allow it. I liked it before it was cool, and now they dressed it all up in drag and call it c++, you here about this folks, its a shame, so sad"
Garbage collectors are generally not used in aerospace because most garbage collectors temporarialy stop code execution for a short period of time and stopping code execution, even for a small amount of time, on a rocket that is accellerating very very fast is not a good idea
@tiranito2834 The GC make the computer stop? Pffft, that's ridiculous. Ignoring the obvious fact that we have multi-threaded processors for a reason, even a very average CPU is capable of running millions of instructions per second of something high level like JS without any downtime at all. The only reason why GC is bad is because the memory might not get released fast enough for some applications. Definitely not the problem of rockets, they wouldn't have limited memory.
And having fixed memory allocation is also helpful when a bit here or there can be flipped. Good luck with rust not throwing an exception when a pointer gets corrupted from a bit flip. I've had people ask why I am picky as to how a "if" or a "for loop" is written and it's written that way so that it can't loop a lot longer if a number is out of range. I am also not going to say that everything should be in C or C++. These languages are safe when unit tested and analyzed. but most code does not get that kind of scrutiny.
Basic input validation is so much easier to do in Rust, though. If I want to parse JSON (or any other of dozens of serialization formats) into a Rust struct I just import Serde and derive deserialize on my struct and it writes the parser for me. It then forces me to check to see if the parse succeeded or failed, and if it succeeded I now have a reference to a fully instantiated and syntactically correct instance of my struct without a null pointer in sight. If I want to add semantic analysis, I could then write a simple parser that parses MySerdeStruct into Result. Alternatively, if I wanted to do it all in one go I could instead just implement the Deserialize trait for my struct and bake in the semantic analysis. Boom, if I have an instance of MySemanticallyCorrectStruct anywhere in my program it's now guaranteed to have been instantiated, validated, and point to a valid location in memory.
@@rahzaelfoe3288 You do realize that Serde is a library, not a language, don't you? And there are libraries to do the JSON parsing and validation in C++, you don't have to write all the code yourself.
I'm a aerospace engineering student and write code for a satellite project. I can tell you that the institute of space systems at my uni is currently in the process of transitioning from C++ to Rust. So yes, there will soon be satellites with Rust code onboard.
I'm not a C coder, just an old sysadmin. I think automated garbage collection is prone to periodic pauses when resources are freed up, so an RTOS would be subject to mysterious timing issues.
Well, there are Java VMs developed that are suitable for real time systems. Not very popular, expensive, and mostly used in military/ some automotive. There is one called "Jamaica VM" and one developed by "ptc". But Java is still extremely memory hungry. I would like to have my IoT device being able to run on battery a few years.... and without crashes.
GCs also require a good amount of speed and memory themselves to manage that space-grade hardware may not have. space-grade processors need to be much simpler and thus probably much slower in order to be less prone to errors when exposed to space. dynamically allocating and deallocating memory in space can also be a big problem when communication timing is an absolute critical essential in space for a variety of reasons and dynamically managing memory can lead to unpredictable timing.
You don't have to hear them but they're just repeating what people who has nothing to do (as far as we know) with NSA have been saying from the very beginning: never trust in the programmer
The problem they note is real and serious, but until they start punishing intelligence agencies for asking for backdoors I will not take them seriously. Put your money where your mouth is. Don't complain but refuse to pay the price (of not getting to infringe on people's privacy).
@@undeadpresident I really don't mind the NSA having all sorts of dirty tricks. Just so long as they don't share them with the FBI! Unfortunately, it's hard to tell if they do or not, besides the fact that the FBI is constantly whining about encryption.
@@TapetBart ok, mastermind, how is your posting on the internet going to prevent the NSA from stockpiling zero days? They aren't really sensitive to public sentiment. Not that the FBI is, either. Are you saying it's not worse for civil liberties for the agency in charge of law enforcement in the USA to have these sorts of capabilities? Because, of course, it is far worse for the FBI to have access, rather than just the foreign intelligence agencies. (except for the CIA, they can't keep anything a secret) BTW, I believe the phrase you are looking for is "room temperature IQ", not "room level IQ"
Modern C++ can definitely be memory safe. Maybe not to the extent of Rust but still very safe. The problem is that the C++ compiler still allows you write legacy unsafe code. It would be nice to see an option across all C++ compilers that prevents clearly unsafe C++ code from compiling.
I think that's what Byarne Stroutstroup said too. He was implying something like; in C++ we should be allowed to use memory unsafe features only by manually adding those unsface compiler flags. All the safest features should be enforced by default in the first place. If that does become a reality for future compiler versions, most of the vulnerabilities can be eliminated.
Hard real-time safety/mission-critical systems not only do not use a GC, but they don’t use dynamic memory allocation either. Doing this eliminates a wide number of memory safety bugs, whilst also more easily achieving deterministic timing. Static memory allocation is a paradigm that really ought to be used more often tbh.
The last time the USA goverment tried to influence on software development they created a programming language called ADA, then it became popular and took over the world (psic). That happened at the same time that C++ was brooding, before most of us where born
That is not how I remember it. The US government did not create Ada. They held a kind of completion to find a language that would be suitable to use n all MoD and other government procurement. The idea was to get out of the situation where every vendor used a different language and they therefore had hundreds of languages in all kind of projects. Ada won that competition and subsequently it was mandated on all new government contracts. Far from being popular pretty much all programmers I worked with who had to use it did not like it. They complained it was too complex, too verbose, too slow. As a result the mandate was lifted only a few years later. With the result that everyone flocks dot the new shiny C++ as a supposed improvement over their beloved C. Ada still hangs on in safety critical systems though, like avionics. Ada never took over the world, it was rarely used outside military and safety critical applications. I get the idea that the government learned something and would not be so daft as to mandate a particular language, for example Rust. However this document certainly serves to push the software world to more reliable and robust languages that are memory safe.
@@anon_y_mousse Yeah, likely I did. It's sometimes hard to spot sarcasm on the net, being the swamp of inaccuracy and misinformation that it is. Last I heard Ada had learned a few tricks about memory safety from Rust, It's all good stuff.
I like Rust, but for existing projects I have a few problems with it: - integrating another build system (cargo) into an existing build system kinda sucks by itself, but it also creates another problem: porting your system module by module (instead of file by file) is really error prone and sucks even more - using Rust without cargo sucks even more than integrating cargo into an existing buildsystem (to a point where I am not sure that's even supported); but at least it makes porting an existing code base easier
I really like cargo and can‘t quite follow your problems since I‘ve never migrated a project to rust, but here‘s a trick: if you need to know what cargo is doing behind the scenes, you can use cargo build -v or even cargo build -vv. It will show you the commands run. Hope this helps
@@ZwiebelgianYeah… get back to us when you’ve tried to integrate it into a CMake or Ninja or Makefile project. I’ve done it. It sucks. It can be done, but it sucks.
@@airman122469 yeah those commads are extremely verbose, good luck nonetheless. If you really want it to change, try posting a bit more formally in one of rusts official channels
I've watched several of your videos now. The topic of Rust was my gateway into your channel, but so far I've found everything I've watched to be absolutely fascinating. I have subscribed and I am actively looking forward to your future content.
I think the issue with garbage collection is that it can unpredictably change how long it takes code to execute, which is a problem for a real time system.
be pretty cool if you did a retrospective of malware/exploits in the history of computer science. be able to compare the knowledge back then to now, and even the limitations of why such exploits were made/discovered
You know rust made me re-think the GPL license on static link. Since rust libraries are always compiled (statically linked), I wonder if we will ever see the issue in court and set precedence.
@@heavymetalmixer91 yes, but also the stance of FSF on static linking is that you also make a derivative work from the GPL code. Now this hasn't gone to court yet so there is no precedence. But rust is making me re-think all of that again.
If i recall correctly heathcare devices typically also have constraints on using garbage collected language. I think in both cases it is the issue of lossing control over when/the interval between code execution as with garbage collected languages you dont know when it will be run or how much garbage needs to be processed
I've been a programmer for 40 years, 10 of which was in C/C++, and that Whitehouse paper didn't make sense to me. It jumped from saying "We need to make more secure software" to "Therefore, memory safe programming languages is the solution". I can write a program that puts passwords into a plain text file. That's a security issue but has nothing to do with memory. I can write a program that infinitely allocates memory and crashes the program. That has to do with memory, but has nothing to do with security. Then the article mentions events like the Morris Worm. The Morris Worm used "finger" to find people logged onto the computer. Not sure how that has to do with memory. I agree that Rust is better at memory management, but I'm pretty sure I can write an insecure program in it, regardless of it being better at memory management.
This! And just because rust is "Memory Safe" Doesn't mean there aren't issues with it. Kinda like how Alpine Linux is "more secure" than other distros because there are fewer eyes on it.
You are missing the point, cherry picking these examples and cases. A lot of hardware and software gets picked apart due to memory issues and overflow. The fusee gelee exploit that made every Nintendo switch vulnerable was caused due to a memory overflow bug, for example
@user-lp8eo5cd1h You are entirely missing the point and are bike-shedding. Expecting programmers to have a borrow checker in their head is inherently flawed.
@@OGNordusing rust makes it nearly impossible to write a huge class of bugs. You can argue "poorly managed code," but if there's an option that makes such bugs impossible without specifically choosing to use an escape hatch, then you're simply going to have less bugs. I'd rather have a complier enforce bugs to not exist rather than rely on the human to do that check, humans who miss stuff, who make mistakes. Yes you can write insecure code in rust. But it's much harder or impossible to write a very important class of bugs in rust. And even if it is possible, you have to go well out of your way to do so.
@purewaterruler I love rust, but I still choose C++ on my team. For rust to become as mainstream as C++, either hundreds of libraries need to have rust replacements or, as Google is funding, interoperability with C++. The latter is the most likely, at least in the next decade. So, if something like openssl or curl has a vulnerability, then your rust stack will have it just as readily as someone else's C++ stack. I agree that it would be ideal to move in the direction of rust only, but it's going to be years before I can reasonably choose it unless I end up on a team that's building within some relatively small domain.
My dad worked for NASA from 70s-late 90s working on Space storage systems. He had to create his own language to do the things (and presumably to adhere to those guidelines).
Your Dad was smart and knew that the only way to be "safe" in certain ways was to give up on Turing completeness. One can afford that for science and aerospace systems, but it's a rather hard way to make a living as an app programmer.
Adopting Rust as a mainstream language won’t change the main factor behind code vulnerabilities: that companies do not care about security. Who cares if a class of memory related vulnerabilities is out of the equation if there’s IoT devices programmed with hard coded insecure root credentials and so on?
Yeah but @LowLevelLearning discusses this in the video: 70% of major security issues are related to memory management. Even though that leaves 30%, eliminating 70% itself (after 35-50 years) would itself be a monumental achievement.
@@GEfromNJ I don’t have data on the matter, but I’d easily bet on that figure not including social engineering as a vulnerability. So, even if we take at face value Rust’s claim to memory safety, it still wouldn’t lead to a particularly more secure digital environment. It could indeed solve a major class of vulnerabilities, but it’s also the class of vulnerabilities that only highly sophisticated attackers use, so it probably is the less frequent in volumes of attacks. A vast network of Internet crawlers brute forcing common default credentials for unsecured IoT devices is, to me, a more worrisome class of attacks, because of its scale and low floor to access it. And it’s a kind of vulnerability that can only be removed by making cybersecurity due diligence standards mandatory.
@@Vaalin In response to the claim that Rust prevents a lot of vulnerabilities, saying something like "yeah, but it doesn't prevent all vulnerabilities" is not really a counter argument. Memory safety issues undeniably make up a huge chunk of software vulnerabilities and using Rust helps to prevent those from occurring.
The most aggravating part of the “skill issue” argument is that even if _you_ can write good safe c code it just takes 1 human miscommunication across an api boundary written by different people to create a CVE
Another problem with the "skill issue" argument is that Apple, Microsoft, Linux, Google, etc have essentially unlimited resources and decades of experience and yet they are still experiencing these issues.
I view it the same as safety equipment for heavy machinery. No matter how skilled and experienced you are, you can still get tired on a Friday night and be rushing to meet a deadline. Impairment and time pressure issues can overcome skill and produce bad outcomes in all humans across all professions. It simply makes sense to fail safe instead of deadly.
I'm guessing that you are not old enough to remember ADA. Fourty years ago, the DoD required all new software to be written in ADA for all of the same reasons. Will it be different this time?
Yes. Ada came from Defense, including its design; Rust came from the developer community and is simply being _recommended_/adopted by government, among others.
@rusi6219it's not. it's just a programming language, and a well loved one at that. if you're thinking of marginalized people being able to openly exist without being discriminated against within the community, that's not politics, that's just human rights. politics are things like dealing with taxes or government budgets or setting health and safety standards in different aspects of life. for example, food health codes. in that, the government didn't create rust. they just promote it as one of the memory safe languages that exists and they want you to use a memory safe language. their goal isn't to make you pick a specific language or even one that exists today, just that you pick one that's safer than the ones designed when security was an afterthought. we still have the mess that's the email and phone systems with spam and scams cause security was an afterthought when they were made. i would gladly burn both my emails and phone numbers if i wasn't required to have them just to use any service. this is a step in the right direction to make a safer tomorrow
I wonder what you would say to J Blow's arguments that 99% of safety problems in C are super trivial to solve. (He argues that the C compiler comes with many memory safety options you can enable out of the box for example.)
It doesn’t matter how safe your language is when 80% or more of data breaches are from social engineering and phishing. On the other hand, any language is safe as long as you make no assumptions about any input or write data and you have assertions in your code to check that data before any work is done with it.
It still gives us a peace of mind that we haven’t created an exploit unintentionally. Reducing the attack surface helps us target the next class of exploits. Besides it also helps us avoid unintentional memory bugs in regular use.
Sure, social engineering is the biggest problem these days, but to say that memory safety doesn't matter is incredibly hyperbolic. Even if it doesn't cover all or most vulnerabilities, reducing the attack surface by 5% is nothing to scoff at.
Actually, it does still matter how safe the language is because attacks still exist which target those insecurities of the language. Also, the idea that every language is safe as long as you do everything absolutely perfectly with absolutely zero assumptions is an overly naive solution. We already know that nobody is going to write perfectly secure code all the time. Crossing your arms and saying "well they people should code perfectly" isn't a solution.
You say it isn't a skill issue, and you also jumped on the 2019 metric of 70% of bugs are "memory bugs", but neither get at the root of exploitation. 1. What is the most common vulnerability type exploited by hackers? Is it memory bugs? Or is it misconfigurations and user error (skill issues). 2. Do you agree the barrier to entry in software development has been reduced in the last 50 years allow people with maybe less skill to develop and release software (skill issues)?
For me it isn't about whether or not it is or isn't a skill issue because if you do anything wrong ever it could be considered a skill issue. I think that having a language that nearly completely prevents certain kinds of skill issues releasing in working production code is a good thing.
This is very interesting to me since the firm I work for takes a security first approach to everything we do. From the air gapped networks to the application code.
The “skill issue” argument is made by people living in a bubble. I can appreciate the sentiment, but the reality is that the balance of supply and demand for programmers and margins necessary for businesses to operate simply will not always allow for every programmer to be a very good™ one.
The government operates with timelines and budgets that enterprises do not. They could absolutely establish a licensing criteria for federal dev work and create associated acceptance testing paradigms that far exceed those sustainable in private industry in the interest of national security. They literally plan to spend $20 billion to replace chinese made CRANES in our ports due to security concerns…
@@semitangent lowest common denominator. In this case making an argument to defend the effort of the least skilled who posses a basic level of aptitude which is the lowest common denominator among all developers. Rather than expecting better from everyone.
9 หลายเดือนก่อน +2
You can write safe c using a lot of static analysis and testing. However, there are not many developers with the ability and know-how. I know only a few developers who write safe code with c, and companies are unable to find additional capable people with good coding practices. When you draw the line additional effort usually does not make financial sense, which is why rust is on my to-do list, to write optimised safe code in one step without Misra checks analysis and weeks of testing.
Regarding GC, I think the issue is that GC is inherently unpredictable and almost always requires completely pausing execution, making its use in space operations that are sensitive to fractions of a second like reentry, where a degree can be the difference, infeasible.
C and C++ are memory safe, but your code may not be. rust's stdlib worries me more than strcpy does because very few stop to consider maybe the code isn't safe since even though they can't see any "unsafe blocks".
In one sense, C is neither memory safe nor unsafe, because that's in the hands of the programmer. On the other hand, if the security problem is located in the possibility of making unsafe programs, then C itself can be considered unsafe.
@@0x90hit's still about the language, the C/C++ header system slows down process noticeably. That's why C++20 has modules support - to speed up compilation.
The "garbage collector" at any time, unexpectedly, stops the program in order to perform it's task, which slows the program down. That's why its "not predictable" for space systems.
I used this argument (and I think you talked about memory safe language before the White House published the report) to a class of young summer vacation students-hoping to get it into their heads “on the ground floor”- and it apparently went down well. It seems to make sense to young people without having to justify it much further…fingers crossed!
@@ultimatedude5686 you fell into internet falacy 17: assuming something is an argument. And falacy 18: assuming it was a personal attack against you. And falacy 19: being offended by it. I was merely poking fun at the idea that delegating responsibility automatically yields better results.
@@Terrados1337 I was using the word argument very loosely. I didn't find what you said offensive, I just disagreed with the point you're making. Delegating responsibility to much larger and more well-maintained codebases (like the compiler and the standard library) is generally a good idea.
I'm glad. Just wish the syntax was simpler, like Go or Pascal. Just wish they adopted the C philosophy of adding features every 30 years instead of every 3 months lmao. C got presdefined bool types the other day... in C 23. We'll be using that in like 2084. (granted it had bools before, but not as part of the spec)
One problem with the skill issue argument, is that even if you train your programmers, there will always be outlier programmers or regular programmers who happen to make mistakes, because we are humans. It's not reliable to rely on programmers, but code itself is pretty reliable(well mostly, that stray bit of cosmic radiation is pretty unlikely)
I agree about safety not being a skill issue. I'm all in for using Rust instead of C++. But to what level do you think that we have to constrain programmers? If programmers don't follow secure code guidelines and standards, there can always be security issues. Memory safety is not the only issue. Of course it's a big one. But what about the other issues?
@@stzi7691 Hahaha... True. However, I don't think this is the case with Rust. Largely because I don't think Rust is anywhere near as "safe" as people think it is. I mean, there are videos floating around now, which show people breaking the borrow checker and causing memory leaks, which most people seem to think cannot happen.
@@roberthoople wow rust has bugs? well back to writing assembly, be sure to push ur registers to the stack before overwriting them! how is this a good point in ur mind? rust provides a lot of checks that avoid most vulnerabilities in C programs, it not being 100% effective isnt an own to it being safer
@@yandere8888 LOL. My actual problem with Rust are it's childish fanbois, and the diaper stink they bring to every programming conversation on the internet, not so much the language's on-by-default safety features themselves.
The title is clickbait - from what we saw the paper only mentioned Rust as safer than C or C++, not as THE safest language. That title surely goes to Ada, especially in it's Spark version which adds formal verification. That's why it's been used for decades in space, avionics, medical systems, weapons systems and other safety-critical fields. It may not have the street cred of Rust, but it's a very interesting and mature language that deserves to be more widely known. Now there's a good open source compiler and language server it's much more accessible than before, and the new 2022 spec adds many modern features.
Rust should be adopted for security measures AND it's a "skill issue". We need more useful hiring standards. Who gets the mission-critical programmer job? Is it Techy Trevor, the autodidact who contributes to open source in his spare time, who knows how to analyze and maintain complex codebases? No, it's Cody Brody, the buzzword-spewing asshole who knows all the leetcode problems, with connections and a CS degree rife with Python and gen-eds. It's not even Brody's fault, he's just following society's incentives. I'm in my last year of CS undergrad and it's turning me into Brody. I've aced job interviews by acting like Brody. Hire competent people like Techy Trevor, damnit!
You skipped over a very important part! Formal methods. You mentioned that even though memory issues make up 70% or something of the known vulnerabilities, there are other classes of vulnerabilities, like logic-based errors. Formal methods are there to mitigate that type of error, by ensuring that the code you're writing actually does what you thought it does in the first place
There is one crate that demonstrates that it is possible, though not common to have memory vulnerability in safe rust, if you try really hard. On the other hand, best C programmers, even when trying really hard, release software with these vulnerabilities on daily basis. So I think, Rust is safe for now.
Rust is generally safe, what CVE-rs did is very, very, very specific AND what they did it is catched by MIRI (which you should be using if you are trying to make your software the safest as possible with the language). It is also a problem that can be fixed, so it eventually will. Of course I'm not saying it is not bad, it is pretty bad, but still, edge cases does not removes the benefits on security of the language.
The point about a tracing garbage collector is that it comes with overhead, which actually sits in the way of real time performance, as described in the sentence before. A GC has to dynamically track all used pointers to objects in memory continuously. In order to achieve this it must perform certain checks frequently, which cause very short but still real interruptions in code execution. For software related to very precise scientific technology and measurements, this might be an actual issue. So I totally understand this point. So Go and C# cannot be used for example.
Changing to Rust will not stop cyber-crime. I want people to know that. It can help increase security generally, but it cannot change the dynamic we currently have. Black-hats will always have the initiative. We should, at the very least, recognize that programming is an art, and preserve the use of "unsafe" languages for use in environments where safety isn't a concern (such as offline, single-player video games). If the government wants to use Rust, let them have it. If they demand it for browsers and internet-related code, then so be it. They should not interfere with the freedom to use and create languages.
@@YandiBanyu oh it is, and will continue to be (there are already "hacking" courses that use Rust on youtube). You can't touch hardware without security concerns. Unless the government wants to rebuild everything from the ground up, it will continue to be that way.
@@jongeduard I am not saying do not write software using rust. Both can exist at the same time. I am merely pointing out that malware too can be created using rust.
I expected better of the C compiler honestly. if i is an unknown value and I have an array with unknown length. that does not compute or should not. It should raise a type error. The same as if I is in en expected range but the length of the array is unknown. -> type error. only if i < the length of the array it should ever compute.
The much better way is to make arrays of the length of powers of two and to mask the index with a binary operation. If you want a significantly higher level of security still, then you use the MMU. None of this does anything for you if the attacker has hardware and root access. These are all just obfuscation techniques. If you need truly secure systems, then they need to be isolated physically. A strong steel door is the best way to go. ;-)
what relevance does a 50 year timeline have to the validity of a “skill issue “argument? The US education system has been turning out below average students for decades. Recognizing that a problem exists but failing to educate in a manner that addresses it, or develop and enforce standards that hold people accountable for avoiding it, guarantees that any skill issue will persist for decades to come. Problems don’t just magically fix themselves, and giving a carpenter a different hammer doesn’t make him a better carpenter.
@@samuele5931 tuple is one example. Zig ships with a compiler that can compile C and C++, its memory safe and simple so I think its a pretty strong competitor because of the way it sets it self up for rewriting legacy C and C++ codebases. It would be simpler to rewrite in Zig than Rust
I agree. If Zig continues to perform and stabilize, I think it will start replacing C, and maybe some low-level C++ areas like games/graphics. Rust will need to compete with Golang to pick the corpse of C++
I'd love to see a deep dive on memory protection features built into compilers and/or operating systems - where they fall short, the edge cases, and maybe reasons they aren't consistently used. These aren't really mentioned when talking about the latest safer language
Cannot believe the politicized comments. This is a research paper; it was not written by a politician. It was commissioned by the government and written by industry experts. There is a difference! Let’s look at the merits of the paper. Has anyone claiming the government is advocating Rust over C, actually done any programming in Rust, or are the reactions just politically motivated?
The problem is saying "it's a skill issue." is even if you are a super skilled programer, you will eventually make a mistake, the borrow checker on the other hand, will not.
@@igoralmeida9136I guess there's a slim possibility that the borrow checker would allow code that it shouldn't, but so far I've only ever heard of it being overly restrictive, which I'll gladly take over manual verification.
@@TapetBart My other comment disappeared. Shortly after my first comment, I looked into cve-rs, which escapes the borrow checker. Funny how I found it so quickly after my erroneous comment.
@@igoralmeida9136 I mean it's an algorythem, and it has rules that prevent data races and use after free's, so therefor, it does make make mistakes, because it isn't a human, idk what universe your in where this is religous dogma.
Rust still sucks. And the U.S. government calling it out to use it just proves that it does indeed suck. It's not C and C++ fault that the developers of such cyber security systems didn't know how to use the language and just slapped together whatever it took to get the paycheck...
Exactly -- lousy coders do not become good by being given safer toys. If anything, this will result in even more bad code due to the perceived "safety".
Hey, maybe the topic of the upcoming NIS2 directive might be interesting for you. It's not about secure software per se, but more so about secure systems and holding CEOs liable
fortran is still here and wil lbe . c++ compiler enginers will fix that allows you to do bugs so your rust will not be revolution . cuz it forces you to do in the way it wants so idk if anyone in his mind will use rust . there's many memory safe langauges and far easier than rust
the thing i dislike most about rust is that its managed or whatever you like to call it by a single entity, i feel like with c thats kinda different, theres tons of c compilers out there which just makes it feel less commercial for some reason
@@tiranito2834??? The rust compiler is OS, obviously. There are alternative ones, there just isn't reason to use them yet. If there's ever issues with rustc obviously it will be forked and a new one will be the default compiler choice, if there's demand for it.
go learn C before its illegal 😞 lowlevel.academy
SO @doce3609 lol
If C gets Illegal ill invent something different than C, maybe with better tools for articulating Objects and Problems very fast.. I dont have a Name yet but because its based on C im thinking of something with a plus.
Just learn Odin.
We still have ASM superpowers. And if ASM gets disallowed too, we'll just hide ourselves inside a Rust unsafe block and do very naughty things, like using the ASM macro. :P
Lmao
Trump is going to come out for C.
"Lots of hard working C miners here today. C is a great language. I've written a lot of C. Nobody writes more memory safe code than I do."
that'd be fun
a lot of us 400-pound hackers are pretty good C programmers!
Lol
@@Kane0123 "C jobs built America. C powers everything. We love C here in West Virginia, folks. Not Biden. Rusty Joe they call him. They do call him that don't they? Sleepy and rusty."
"I here to use rust you have to identify as lgbtq+zxtruq and give up your guns, they say. Thats not going to happen in C, I wont allow it. I liked it before it was cool, and now they dressed it all up in drag and call it c++, you here about this folks, its a shame, so sad"
So the NSA has finally collected enough zero-days that they're now allowing recommendations in favor of Rust?
no they got a back door.
@@sixbutton9 Rust still uses the LLVM, so there's still a lot of undefined behavior and unsafe things for years to come.
@@monad_tcp
There is no UB in normal safe Rust code (and if there is it would be fixed eventually).
@@lawrencemanning
😆
@@diadetediotedio6918 define "normal"
Garbage collectors are generally not used in aerospace because most garbage collectors temporarialy stop code execution for a short period of time and stopping code execution, even for a small amount of time, on a rocket that is accellerating very very fast is not a good idea
Elaborate
@@tiranito2834 I'm starting to think that all the people not understanding why GC would be bad for spacecrafts just don't understand how GC works.
@@anon_y_mousse That's the sad reality of the way GC works. Out of sight out of mind.
@tiranito2834 The GC make the computer stop? Pffft, that's ridiculous. Ignoring the obvious fact that we have multi-threaded processors for a reason, even a very average CPU is capable of running millions of instructions per second of something high level like JS without any downtime at all.
The only reason why GC is bad is because the memory might not get released fast enough for some applications. Definitely not the problem of rockets, they wouldn't have limited memory.
And having fixed memory allocation is also helpful when a bit here or there can be flipped. Good luck with rust not throwing an exception when a pointer gets corrupted from a bit flip. I've had people ask why I am picky as to how a "if" or a "for loop" is written and it's written that way so that it can't loop a lot longer if a number is out of range. I am also not going to say that everything should be in C or C++. These languages are safe when unit tested and analyzed. but most code does not get that kind of scrutiny.
Apparently, Joe forgot to free his memory.
Lmao
Rust made a memory leak inside his brain
If he doesn't will the rest follow?
Wym, all he does is free memory. Bro tries to free Stack allocated memory sometimes. He's trying to update his hardware to rust
Hahaha 😆
"Skill issues" but programmers still won't follow basic input validation lmao
What are e we talking about? Critical software that has become infrastructure or critical software that is a product of a company?
Basic input validation is so much easier to do in Rust, though. If I want to parse JSON (or any other of dozens of serialization formats) into a Rust struct I just import Serde and derive deserialize on my struct and it writes the parser for me. It then forces me to check to see if the parse succeeded or failed, and if it succeeded I now have a reference to a fully instantiated and syntactically correct instance of my struct without a null pointer in sight. If I want to add semantic analysis, I could then write a simple parser that parses MySerdeStruct into Result. Alternatively, if I wanted to do it all in one go I could instead just implement the Deserialize trait for my struct and bake in the semantic analysis. Boom, if I have an instance of MySemanticallyCorrectStruct anywhere in my program it's now guaranteed to have been instantiated, validated, and point to a valid location in memory.
Users will read the guide, so validation isn’t important.
@@Kane0123 I agree. You should educate your users. After all. User Input should always be correct so you can trust it at all times in your code.
@@rahzaelfoe3288 You do realize that Serde is a library, not a language, don't you? And there are libraries to do the JSON parsing and validation in C++, you don't have to write all the code yourself.
I'm a aerospace engineering student and write code for a satellite project. I can tell you that the institute of space systems at my uni is currently in the process of transitioning from C++ to Rust. So yes, there will soon be satellites with Rust code onboard.
@asdfghjkl-jk6mu Stuttgart, Germany
I'm not a C coder, just an old sysadmin. I think automated garbage collection is prone to periodic pauses when resources are freed up, so an RTOS would be subject to mysterious timing issues.
Well, there are Java VMs developed that are suitable for real time systems. Not very popular, expensive, and mostly used in military/ some automotive. There is one called "Jamaica VM" and one developed by "ptc". But Java is still extremely memory hungry. I would like to have my IoT device being able to run on battery a few years.... and without crashes.
GCs also require a good amount of speed and memory themselves to manage that space-grade hardware may not have. space-grade processors need to be much simpler and thus probably much slower in order to be less prone to errors when exposed to space. dynamically allocating and deallocating memory in space can also be a big problem when communication timing is an absolute critical essential in space for a variety of reasons and dynamically managing memory can lead to unpredictable timing.
There's ways to enter during garbage collection. I can think of three without looking at the code in question.
The White House is the trusted authority that I always look for guidance from when I am trying to decide what language to use in my next project.
😂🎉
You don't have to listen to them, there are many others that have said this before them.
You don't have to hear them but they're just repeating what people who has nothing to do (as far as we know) with NSA have been saying from the very beginning: never trust in the programmer
The sentiment about not having GC for space use could be due to avoiding GC pauses.
I think also they might not run leading to running out of memory.
@@eldrago19Try that again
The Whitehouse should write a similar statement regarding open source being safer than proprietary and closed source
too based for the gov i'm afraid
Why would they do that? Closed source is superior from certain points of view.
@@markojojic6223 Facts are not points of view. Security through obscurity is a farce
true, the only reason the us gov can confirm rust is memory safe is because the compiler is open sourse
@one6446 Well I guess they could have started makeing an in-house alternative in 10 years or less.
"up until recently, security was an afterthought"
(That implies that it no longer is)
* IoT has entered the conversation *
Focusing on security makes it harder to get things working.
The problem they note is real and serious, but until they start punishing intelligence agencies for asking for backdoors I will not take them seriously. Put your money where your mouth is. Don't complain but refuse to pay the price (of not getting to infringe on people's privacy).
Indeed, I'm more concerned about being secure from government intrusion than the other way around.
@@undeadpresident I really don't mind the NSA having all sorts of dirty tricks. Just so long as they don't share them with the FBI! Unfortunately, it's hard to tell if they do or not, besides the fact that the FBI is constantly whining about encryption.
I agree
@@undeadpresident Governments are the number 1 producer of malware, governments everywhere are just criminal organizations
@@TapetBart ok, mastermind, how is your posting on the internet going to prevent the NSA from stockpiling zero days? They aren't really sensitive to public sentiment.
Not that the FBI is, either. Are you saying it's not worse for civil liberties for the agency in charge of law enforcement in the USA to have these sorts of capabilities? Because, of course, it is far worse for the FBI to have access, rather than just the foreign intelligence agencies. (except for the CIA, they can't keep anything a secret)
BTW, I believe the phrase you are looking for is "room temperature IQ", not "room level IQ"
Understood, will keep using C
Yeah the government will not tell me what language to use
Typical C programmer (no shade).
@@malusmundus-9605are you being sarcastic? Couldn't tell these days 🤷♂
calling the cops
"C gives the programmer too much freedom. We need more security! I hereby declare C to be a terrorist organization!"
Modern C++ can definitely be memory safe. Maybe not to the extent of Rust but still very safe. The problem is that the C++ compiler still allows you write legacy unsafe code. It would be nice to see an option across all C++ compilers that prevents clearly unsafe C++ code from compiling.
I think that's what Byarne Stroutstroup said too. He was implying something like; in C++ we should be allowed to use memory unsafe features only by manually adding those unsface compiler flags. All the safest features should be enforced by default in the first place. If that does become a reality for future compiler versions, most of the vulnerabilities can be eliminated.
Hard real-time safety/mission-critical systems not only do not use a GC, but they don’t use dynamic memory allocation either. Doing this eliminates a wide number of memory safety bugs, whilst also more easily achieving deterministic timing. Static memory allocation is a paradigm that really ought to be used more often tbh.
The last time the USA goverment tried to influence on software development they created a programming language called ADA, then it became popular and took over the world (psic). That happened at the same time that C++ was brooding, before most of us where born
Thanks for reminding me that I'm old.
history repeats itself
rust++
That is not how I remember it.
The US government did not create Ada. They held a kind of completion to find a language that would be suitable to use n all MoD and other government procurement. The idea was to get out of the situation where every vendor used a different language and they therefore had hundreds of languages in all kind of projects. Ada won that competition and subsequently it was mandated on all new government contracts.
Far from being popular pretty much all programmers I worked with who had to use it did not like it. They complained it was too complex, too verbose, too slow. As a result the mandate was lifted only a few years later. With the result that everyone flocks dot the new shiny C++ as a supposed improvement over their beloved C. Ada still hangs on in safety critical systems though, like avionics.
Ada never took over the world, it was rarely used outside military and safety critical applications.
I get the idea that the government learned something and would not be so daft as to mandate a particular language, for example Rust. However this document certainly serves to push the software world to more reliable and robust languages that are memory safe.
@@Heater-v1.0.0 I think you missed the obvious sarcasm in that line of "took over the world", because we all know it did not.
@@anon_y_mousse Yeah, likely I did. It's sometimes hard to spot sarcasm on the net, being the swamp of inaccuracy and misinformation that it is.
Last I heard Ada had learned a few tricks about memory safety from Rust, It's all good stuff.
I like Rust, but for existing projects I have a few problems with it:
- integrating another build system (cargo) into an existing build system kinda sucks by itself, but it also creates another problem: porting your system module by module (instead of file by file) is really error prone and sucks even more
- using Rust without cargo sucks even more than integrating cargo into an existing buildsystem (to a point where I am not sure that's even supported); but at least it makes porting an existing code base easier
I really like cargo and can‘t quite follow your problems since I‘ve never migrated a project to rust, but here‘s a trick: if you need to know what cargo is doing behind the scenes, you can use cargo build -v or even cargo build -vv. It will show you the commands run. Hope this helps
@@ZwiebelgianYeah… get back to us when you’ve tried to integrate it into a CMake or Ninja or Makefile project. I’ve done it. It sucks. It can be done, but it sucks.
Ewww make files.
@@airman122469 yeah those commads are extremely verbose, good luck nonetheless. If you really want it to change, try posting a bit more formally in one of rusts official channels
Build with Bazel when the project is either large , polyglot, or both.
white house using Rust before GTA 6 is crazy 💀
heyeyey slow down your horses - nobody said anything about using! The white house is talking - and that's the only they ever do
once the nsa endorses rust, is the day ill stop using it.
@@pluto8404 why
I haven't done video games, but do lots of GUI and OOP is a must, type hierarchy just looks natural
@@mizu_7422 they planted 5g bugs into my esp32
I've watched several of your videos now. The topic of Rust was my gateway into your channel, but so far I've found everything I've watched to be absolutely fascinating. I have subscribed and I am actively looking forward to your future content.
Gotta love politician driven development 😥😥
VOP - virtue_signaling oriented programming. It is the future.
RUSTRANNY ZISTAS. GO GO GO!
Watch them try to make a list of all C programmers and leverage their ISP's to cut their internet service and deny them plane flights.
New paradigm Yay
the eu supports a ton of FOSS, like... idk, gnome. so yeah. often enough that's actually something i love
always knew there's something not right with rust
No jokes about Biden and memory integrity!
Assuming he has memory to begin with
@@godspeed2145 it's just leaked over the past 80 years
His memory is FINE, it's just his output stream buffering.
His memory is great, his brain just runs on Python
I think the issue with garbage collection is that it can unpredictably change how long it takes code to execute, which is a problem for a real time system.
be pretty cool if you did a retrospective of malware/exploits in the history of computer science. be able to compare the knowledge back then to now, and even the limitations of why such exploits were made/discovered
You know rust made me re-think the GPL license on static link. Since rust libraries are always compiled (statically linked), I wonder if we will ever see the issue in court and set precedence.
@@ameknite I am not talking about rust the language, but any program written in rust that MAY be GPL licensed.
That's a huge license issue for certain pieces of software, not everyone wants to statically link everything.
@@heavymetalmixer91 If you want dynamic linking with Rust, you're out of luck. That isn't a supported feature yet.
@@Psychx_ that's because rust has no ABI like most mature languages do.
@@heavymetalmixer91 yes, but also the stance of FSF on static linking is that you also make a derivative work from the GPL code. Now this hasn't gone to court yet so there is no precedence. But rust is making me re-think all of that again.
If i recall correctly heathcare devices typically also have constraints on using garbage collected language. I think in both cases it is the issue of lossing control over when/the interval between code execution as with garbage collected languages you dont know when it will be run or how much garbage needs to be processed
I've been a programmer for 40 years, 10 of which was in C/C++, and that Whitehouse paper didn't make sense to me. It jumped from saying "We need to make more secure software" to "Therefore, memory safe programming languages is the solution". I can write a program that puts passwords into a plain text file. That's a security issue but has nothing to do with memory. I can write a program that infinitely allocates memory and crashes the program. That has to do with memory, but has nothing to do with security. Then the article mentions events like the Morris Worm. The Morris Worm used "finger" to find people logged onto the computer. Not sure how that has to do with memory. I agree that Rust is better at memory management, but I'm pretty sure I can write an insecure program in it, regardless of it being better at memory management.
This! And just because rust is "Memory Safe" Doesn't mean there aren't issues with it. Kinda like how Alpine Linux is "more secure" than other distros because there are fewer eyes on it.
You are missing the point, cherry picking these examples and cases. A lot of hardware and software gets picked apart due to memory issues and overflow.
The fusee gelee exploit that made every Nintendo switch vulnerable was caused due to a memory overflow bug, for example
@user-lp8eo5cd1h You are entirely missing the point and are bike-shedding. Expecting programmers to have a borrow checker in their head is inherently flawed.
@@OGNordusing rust makes it nearly impossible to write a huge class of bugs.
You can argue "poorly managed code," but if there's an option that makes such bugs impossible without specifically choosing to use an escape hatch, then you're simply going to have less bugs.
I'd rather have a complier enforce bugs to not exist rather than rely on the human to do that check, humans who miss stuff, who make mistakes.
Yes you can write insecure code in rust. But it's much harder or impossible to write a very important class of bugs in rust. And even if it is possible, you have to go well out of your way to do so.
@purewaterruler I love rust, but I still choose C++ on my team. For rust to become as mainstream as C++, either hundreds of libraries need to have rust replacements or, as Google is funding, interoperability with C++. The latter is the most likely, at least in the next decade. So, if something like openssl or curl has a vulnerability, then your rust stack will have it just as readily as someone else's C++ stack.
I agree that it would be ideal to move in the direction of rust only, but it's going to be years before I can reasonably choose it unless I end up on a team that's building within some relatively small domain.
Oh, shit, is this what finally derails the Rust hype-train?
"We're from the government, we're here to help!"
"I will defeat Donald Reagan this election!"
Yep.
rust foundation wants to take your 🔫🔫 per the TOS. Now we know who they really are.
The government supporting it makes me a bit suspicious
They also created the ADA programming language, that why it became so popular and took over the world
@@virtuosisimo never heard of it
CIA probably added a backdoor to the rust compiler
@@shallex5744 that's my point xD
U r a tinhat
My dad worked for NASA from 70s-late 90s working on Space storage systems. He had to create his own language to do the things (and presumably to adhere to those guidelines).
Your Dad was smart and knew that the only way to be "safe" in certain ways was to give up on Turing completeness. One can afford that for science and aerospace systems, but it's a rather hard way to make a living as an app programmer.
I think the Garbage Collection point is that, gb is non-deterministic
Adopting Rust as a mainstream language won’t change the main factor behind code vulnerabilities: that companies do not care about security. Who cares if a class of memory related vulnerabilities is out of the equation if there’s IoT devices programmed with hard coded insecure root credentials and so on?
Yeah but @LowLevelLearning discusses this in the video: 70% of major security issues are related to memory management. Even though that leaves 30%, eliminating 70% itself (after 35-50 years) would itself be a monumental achievement.
@@GEfromNJ I don’t have data on the matter, but I’d easily bet on that figure not including social engineering as a vulnerability.
So, even if we take at face value Rust’s claim to memory safety, it still wouldn’t lead to a particularly more secure digital environment. It could indeed solve a major class of vulnerabilities, but it’s also the class of vulnerabilities that only highly sophisticated attackers use, so it probably is the less frequent in volumes of attacks. A vast network of Internet crawlers brute forcing common default credentials for unsecured IoT devices is, to me, a more worrisome class of attacks, because of its scale and low floor to access it. And it’s a kind of vulnerability that can only be removed by making cybersecurity due diligence standards mandatory.
@@Vaalin In response to the claim that Rust prevents a lot of vulnerabilities, saying something like "yeah, but it doesn't prevent all vulnerabilities" is not really a counter argument. Memory safety issues undeniably make up a huge chunk of software vulnerabilities and using Rust helps to prevent those from occurring.
It’s almost like profit seeking behavior is inherent to capitalism
The most aggravating part of the “skill issue” argument is that even if _you_ can write good safe c code it just takes 1 human miscommunication across an api boundary written by different people to create a CVE
Another problem with the "skill issue" argument is that Apple, Microsoft, Linux, Google, etc have essentially unlimited resources and decades of experience and yet they are still experiencing these issues.
So... Skill issues...
There's a skill issue in communication skills.
I view it the same as safety equipment for heavy machinery. No matter how skilled and experienced you are, you can still get tired on a Friday night and be rushing to meet a deadline. Impairment and time pressure issues can overcome skill and produce bad outcomes in all humans across all professions. It simply makes sense to fail safe instead of deadly.
And here we have it, now we know we can't trust Rot... I mean Rust.
C is illegal now
the c in c stands for crime
@@guyblack9729what about c++
@@guyblack9729 what do the rest of the other letters stand for?
@@bruhzzerPropaganda.
If only it wasn't one of the most compatible languages out there with extensive tooling and libraries. I don't think it's going anywhere anytime soon.
I'm guessing that you are not old enough to remember ADA. Fourty years ago, the DoD required all new software to be written in ADA for all of the same reasons.
Will it be different this time?
Yes. Ada came from Defense, including its design; Rust came from the developer community and is simply being _recommended_/adopted by government, among others.
@@midnightfutureI don't really see the difference.
@@midnightfuture implying rust isn't heavily political and compromised from the start lol
@rusi6219it's not. it's just a programming language, and a well loved one at that. if you're thinking of marginalized people being able to openly exist without being discriminated against within the community, that's not politics, that's just human rights. politics are things like dealing with taxes or government budgets or setting health and safety standards in different aspects of life. for example, food health codes.
in that, the government didn't create rust. they just promote it as one of the memory safe languages that exists and they want you to use a memory safe language. their goal isn't to make you pick a specific language or even one that exists today, just that you pick one that's safer than the ones designed when security was an afterthought. we still have the mess that's the email and phone systems with spam and scams cause security was an afterthought when they were made. i would gladly burn both my emails and phone numbers if i wasn't required to have them just to use any service. this is a step in the right direction to make a safer tomorrow
the government recommending Rust is way too suspicious
maybe i should use C instead
This comment is highly underrated.
I wonder what you would say to J Blow's arguments that 99% of safety problems in C are super trivial to solve. (He argues that the C compiler comes with many memory safety options you can enable out of the box for example.)
It doesn’t matter how safe your language is when 80% or more of data breaches are from social engineering and phishing. On the other hand, any language is safe as long as you make no assumptions about any input or write data and you have assertions in your code to check that data before any work is done with it.
It still gives us a peace of mind that we haven’t created an exploit unintentionally. Reducing the attack surface helps us target the next class of exploits.
Besides it also helps us avoid unintentional memory bugs in regular use.
@@mma93067 rust still has CVEs. It’s not full proof and relying on the claim of full proof is the same as having assumptions about your code.
@@mma93067 Rust still has CVEs. It’s not a cure all, and believing it to be has the same effects as making assumptions about your inputs.
Sure, social engineering is the biggest problem these days, but to say that memory safety doesn't matter is incredibly hyperbolic. Even if it doesn't cover all or most vulnerabilities, reducing the attack surface by 5% is nothing to scoff at.
Actually, it does still matter how safe the language is because attacks still exist which target those insecurities of the language.
Also, the idea that every language is safe as long as you do everything absolutely perfectly with absolutely zero assumptions is an overly naive solution. We already know that nobody is going to write perfectly secure code all the time. Crossing your arms and saying "well they people should code perfectly" isn't a solution.
Every switch, every router, every bit of Cisco equipment must now be disconnected
They preffer Cisco spying them than Huawei
It may very well be a skill issue, but that doesn't make the problem go away!
12:02 is the first time Rust is mentioned in case anybody wanted to know
I never listen to anything the government says
U have a hat made out of tin
They forget about Ada, which is memory-safe when used in certain profiles. The Boeing 777 still flies on Ada.
you know i suddenly don’t trust the ada programming language anymore
You say it isn't a skill issue, and you also jumped on the 2019 metric of 70% of bugs are "memory bugs", but neither get at the root of exploitation. 1. What is the most common vulnerability type exploited by hackers? Is it memory bugs? Or is it misconfigurations and user error (skill issues). 2. Do you agree the barrier to entry in software development has been reduced in the last 50 years allow people with maybe less skill to develop and release software (skill issues)?
For me it isn't about whether or not it is or isn't a skill issue because if you do anything wrong ever it could be considered a skill issue. I think that having a language that nearly completely prevents certain kinds of skill issues releasing in working production code is a good thing.
This is very interesting to me since the firm I work for takes a security first approach to everything we do. From the air gapped networks to the application code.
Is it smart to post this information to the internet?
@@Walter_ If we do our jobs right
I remember reading somewhere from Oracle I think that Java should not be used in space
In space you need realtime operations. You can't have that with a GC.
Code should be checked and tested so that it has no unintended behavior.
The “skill issue” argument is made by people living in a bubble. I can appreciate the sentiment, but the reality is that the balance of supply and demand for programmers and margins necessary for businesses to operate simply will not always allow for every programmer to be a very good™ one.
This is a LCD defense argument. Which sounds remarkably like projection.
The government operates with timelines and budgets that enterprises do not. They could absolutely establish a licensing criteria for federal dev work and create associated acceptance testing paradigms that far exceed those sustainable in private industry in the interest of national security. They literally plan to spend $20 billion to replace chinese made CRANES in our ports due to security concerns…
@@NinjaRunningWildLCD defense? As in the screen type? Could you elaborate, I find OP's argument quite compelling.
@@semitangentDo you understand mathematics?
@@semitangent lowest common denominator. In this case making an argument to defend the effort of the least skilled who posses a basic level of aptitude which is the lowest common denominator among all developers. Rather than expecting better from everyone.
You can write safe c using a lot of static analysis and testing. However, there are not many developers with the ability and know-how. I know only a few developers who write safe code with c, and companies are unable to find additional capable people with good coding practices. When you draw the line additional effort usually does not make financial sense, which is why rust is on my to-do list, to write optimised safe code in one step without Misra checks analysis and weeks of testing.
Memory safe hardware tends to be devices that enforce ECC checks.
Linus Torvalds called out Intel for being a major reason ECC memory isn't common
That only saves us from data corruption from high energy cosmic radiations.
Regarding GC, I think the issue is that GC is inherently unpredictable and almost always requires completely pausing execution, making its use in space operations that are sensitive to fractions of a second like reentry, where a degree can be the difference, infeasible.
C and C++ are memory safe, but your code may not be.
rust's stdlib worries me more than strcpy does because very few stop to consider maybe the code isn't safe since even though they can't see any "unsafe blocks".
In one sense, C is neither memory safe nor unsafe, because that's in the hands of the programmer. On the other hand, if the security problem is located in the possibility of making unsafe programs, then C itself can be considered unsafe.
I found your misspeak of the word "significantly" to "sufficiently" quite interesting.🤔
9:37
I can't wait to look at cyber security issues in an OS written exclusively in Rust
SOC analysts just got even worse at our jobs
Wdym It can't be a skill issue if it's been going on for 50 years? It's not like the same 10 people have been building all the software for 50 years.
Well Rust compilation times, are on par with the US burocracy, no wonder they love it ;-)
C++ is even worse in that regard.
@@georgerogers1166 in c++ you don't need to compile every single dependecy though
although, linker errors are one of the easiest way to go crazy lol
@@georgerogers1166 Compilation speed is not about language, it is about compiler.
@@0x90h c++ is inherently slow compiling when using templates. Multiple whole program compilation.
@@0x90hit's still about the language, the C/C++ header system slows down process noticeably. That's why C++20 has modules support - to speed up compilation.
The "garbage collector" at any time, unexpectedly, stops the program in order to perform it's task, which slows the program down. That's why its "not predictable" for space systems.
All dozen Rust developers are having a blast right now.
Damn, those 12 programmers downloaded crates 60 billion times, while creating 141 000 crates. Very impressive.
13, I started learning it.
I used this argument (and I think you talked about memory safe language before the White House published the report) to a class of young summer vacation students-hoping to get it into their heads “on the ground floor”- and it apparently went down well. It seems to make sense to young people without having to justify it much further…fingers crossed!
"Use memory safe languages" is code for "have somebody else write your compiler so you can blame them when your calculator app leaks nuclear codes".
Is the alternative to build your own compiler from scratch? I don't really understand this argument.
@@ultimatedude5686 you fell into internet falacy 17: assuming something is an argument. And falacy 18: assuming it was a personal attack against you. And falacy 19: being offended by it.
I was merely poking fun at the idea that delegating responsibility automatically yields better results.
@@Terrados1337 I was using the word argument very loosely. I didn't find what you said offensive, I just disagreed with the point you're making. Delegating responsibility to much larger and more well-maintained codebases (like the compiler and the standard library) is generally a good idea.
9:03 Yes. Why do you assume that more time = things are better?
A clear message that EVERYBODY should steer clear of it.
We need to know secure way to do something, not only with language to write code but also algorithm how to resolve each problem.
I'm glad. Just wish the syntax was simpler, like Go or Pascal.
Just wish they adopted the C philosophy of adding features every 30 years instead of every 3 months lmao.
C got presdefined bool types the other day... in C 23. We'll be using that in like 2084. (granted it had bools before, but not as part of the spec)
Useless addidtion. bool can be 0 and 1
@@defnlife1683 c had bools since c99
@@sillymesilly, bool is useful in _Generic, it also allows you to simply cast the value to zero or one and has different float casting logic
Finally an article that doesn’t refer to C/C++ and actually acknowledges them as separate languages!😂
Ahh, just like that time when the NSA recommended Dual EC DRBG... Oh wai-
One problem with the skill issue argument, is that even if you train your programmers, there will always be outlier programmers or regular programmers who happen to make mistakes, because we are humans. It's not reliable to rely on programmers, but code itself is pretty reliable(well mostly, that stray bit of cosmic radiation is pretty unlikely)
The White House can't even decide which bathroom to go to.
I agree about safety not being a skill issue. I'm all in for using Rust instead of C++. But to what level do you think that we have to constrain programmers? If programmers don't follow secure code guidelines and standards, there can always be security issues. Memory safety is not the only issue. Of course it's a big one. But what about the other issues?
This is what we call "preaching to the choir."
Considering what the USA deems "good" these days, this isn't the glowing endorsement people think it is.
Can you be 100% sure? You know the German saying: "Even a blind chicken does occasionally find a corn."
@@stzi7691 Hahaha... True.
However, I don't think this is the case with Rust. Largely because I don't think Rust is anywhere near as "safe" as people think it is. I mean, there are videos floating around now, which show people breaking the borrow checker and causing memory leaks, which most people seem to think cannot happen.
@@roberthoople wow rust has bugs? well back to writing assembly, be sure to push ur registers to the stack before overwriting them!
how is this a good point in ur mind? rust provides a lot of checks that avoid most vulnerabilities in C programs, it not being 100% effective isnt an own to it being safer
@@yandere8888 LOL. My actual problem with Rust are it's childish fanbois, and the diaper stink they bring to every programming conversation on the internet, not so much the language's on-by-default safety features themselves.
@@roberthoople ah yes the adult thing of not using a language cuz u dont like the other ppl who use it
what?
Recommending to goim thru legacy code and rewrite it in anything is a good way to catch old bugs. Might as well RIIR while you're up in there
and an even better way to introduce new bugs
The only rust Joe knows is in his joints and brain cells.
and maybe his bicycle too
The title is clickbait - from what we saw the paper only mentioned Rust as safer than C or C++, not as THE safest language. That title surely goes to Ada, especially in it's Spark version which adds formal verification. That's why it's been used for decades in space, avionics, medical systems, weapons systems and other safety-critical fields. It may not have the street cred of Rust, but it's a very interesting and mature language that deserves to be more widely known. Now there's a good open source compiler and language server it's much more accessible than before, and the new 2022 spec adds many modern features.
Rust should be adopted for security measures AND it's a "skill issue". We need more useful hiring standards. Who gets the mission-critical programmer job? Is it Techy Trevor, the autodidact who contributes to open source in his spare time, who knows how to analyze and maintain complex codebases? No, it's Cody Brody, the buzzword-spewing asshole who knows all the leetcode problems, with connections and a CS degree rife with Python and gen-eds. It's not even Brody's fault, he's just following society's incentives. I'm in my last year of CS undergrad and it's turning me into Brody. I've aced job interviews by acting like Brody. Hire competent people like Techy Trevor, damnit!
@@TapetBartHey, one day you might be in charge of hiring. Do the right thing and spread the truth.
You skipped over a very important part! Formal methods.
You mentioned that even though memory issues make up 70% or something of the known vulnerabilities, there are other classes of vulnerabilities, like logic-based errors. Formal methods are there to mitigate that type of error, by ensuring that the code you're writing actually does what you thought it does in the first place
The white house: Rust is safe!
Cve-rs: ...Do you even know what you are talking about?
There is one crate that demonstrates that it is possible, though not common to have memory vulnerability in safe rust, if you try really hard. On the other hand, best C programmers, even when trying really hard, release software with these vulnerabilities on daily basis. So I think, Rust is safe for now.
i mean, your average rust programmer is not exactly using HRTBs in their code lmfao
"the white house said it, it must be true! Everything else is disinformation! Censor it!"
Rust is generally safe, what CVE-rs did is very, very, very specific AND what they did it is catched by MIRI (which you should be using if you are trying to make your software the safest as possible with the language). It is also a problem that can be fixed, so it eventually will.
Of course I'm not saying it is not bad, it is pretty bad, but still, edge cases does not removes the benefits on security of the language.
@@diadetediotedio6918 "eventually", sure
The point about a tracing garbage collector is that it comes with overhead, which actually sits in the way of real time performance, as described in the sentence before.
A GC has to dynamically track all used pointers to objects in memory continuously. In order to achieve this it must perform certain checks frequently, which cause very short but still real interruptions in code execution.
For software related to very precise scientific technology and measurements, this might be an actual issue. So I totally understand this point. So Go and C# cannot be used for example.
Changing to Rust will not stop cyber-crime. I want people to know that. It can help increase security generally, but it cannot change the dynamic we currently have. Black-hats will always have the initiative.
We should, at the very least, recognize that programming is an art, and preserve the use of "unsafe" languages for use in environments where safety isn't a concern (such as offline, single-player video games).
If the government wants to use Rust, let them have it. If they demand it for browsers and internet-related code, then so be it. They should not interfere with the freedom to use and create languages.
I am more concerned that rust is also being used to create malware/exploit
@@YandiBanyu oh it is, and will continue to be (there are already "hacking" courses that use Rust on youtube). You can't touch hardware without security concerns. Unless the government wants to rebuild everything from the ground up, it will continue to be that way.
@@YandiBanyu Which is even more reason to use Rust for the possibly targeted good software as well, as a counter measure.
@@jongeduard I am not saying do not write software using rust. Both can exist at the same time. I am merely pointing out that malware too can be created using rust.
@@YandiBanyu Oh no problem, I did not think or intent that either. I just emphasized the importance. I actually liked your comment instead.
I expected better of the C compiler honestly.
if i is an unknown value and I have an array with unknown length. that does not compute or should not. It should raise a type error.
The same as if I is in en expected range but the length of the array is unknown. -> type error.
only if i < the length of the array it should ever compute.
The much better way is to make arrays of the length of powers of two and to mask the index with a binary operation. If you want a significantly higher level of security still, then you use the MMU. None of this does anything for you if the attacker has hardware and root access. These are all just obfuscation techniques. If you need truly secure systems, then they need to be isolated physically. A strong steel door is the best way to go. ;-)
what relevance does a 50 year timeline have to the validity of a “skill issue “argument? The US education system has been turning out below average students for decades. Recognizing that a problem exists but failing to educate in a manner that addresses it, or develop and enforce standards that hold people accountable for avoiding it, guarantees that any skill issue will persist for decades to come. Problems don’t just magically fix themselves, and giving a carpenter a different hammer doesn’t make him a better carpenter.
@@matta5749 what relevance does average level of student have to the quality of the work product which they have been educated to produce? Seriously?
Yeah I was about to comment the same myself. If anything programmers have gotten worse in 50 years, not better as is assumed for some reason.
The biggest issue with any processor in space is that Two's Complement completely sh1ts the bed when passing through the Van Allen radiation belts.
Zig has placed itself nicely to replace legacy C and C++ code. It'll be interesting to C how it competes with Rust in this space
Never heard of it in real life: so competition currently non-existant.
@@samuele5931 tuple is one example. Zig ships with a compiler that can compile C and C++, its memory safe and simple so I think its a pretty strong competitor because of the way it sets it self up for rewriting legacy C and C++ codebases. It would be simpler to rewrite in Zig than Rust
@@samuele5931 Bad take
Uber use it
My company use it and we're responsible for a very popular software to manage datacenters and servers
I agree. If Zig continues to perform and stabilize, I think it will start replacing C, and maybe some low-level C++ areas like games/graphics. Rust will need to compete with Golang to pick the corpse of C++
Maybe the government shouldn't be aided in their security given the kinds of things it's already known that they are up to...
I'd love to see a deep dive on memory protection features built into compilers and/or operating systems - where they fall short, the edge cases, and maybe reasons they aren't consistently used. These aren't really mentioned when talking about the latest safer language
Cannot believe the politicized comments. This is a research paper; it was not written by a politician. It was commissioned by the government and written by industry experts. There is a difference! Let’s look at the merits of the paper. Has anyone claiming the government is advocating Rust over C, actually done any programming in Rust, or are the reactions just politically motivated?
rust was made by insane devs for insane devs
so... made by devs for devs?
Im staying with C although now I'm thinking of trying Rust maybe port over a couple small apps of mine and see how I feel.
Rust is bloated, not as minimalistic as C.
@@TheDarkBusinessman >c
>minimalistic
have u seen libc?
So the list includes: Java, Go, Python, C#, Swift. - KlausGean
Ada enters the room (and locks the door behind it)
Multi-threaded, type safe, and memory safe since 1983.
The problem is saying "it's a skill issue." is even if you are a super skilled programer, you will eventually make a mistake, the borrow checker on the other hand, will not.
"borrow checker on the other hand, will not" sounds like a religious dogma
@@igoralmeida9136I guess there's a slim possibility that the borrow checker would allow code that it shouldn't, but so far I've only ever heard of it being overly restrictive, which I'll gladly take over manual verification.
@@chinoto1lookup cve-rs.
@@TapetBart My other comment disappeared. Shortly after my first comment, I looked into cve-rs, which escapes the borrow checker. Funny how I found it so quickly after my erroneous comment.
@@igoralmeida9136 I mean it's an algorythem, and it has rules that prevent data races and use after free's, so therefor, it does make make mistakes, because it isn't a human, idk what universe your in where this is religous dogma.
Insecure is a skill and time issue often companies like to take shortcuts, but would say that C could use a stricter compiler compared to today.
Use the right compiler flags and you can have the same thing without having to learn a new language or participating in an obnoxious community
Just use compiler flags
Rust still sucks. And the U.S. government calling it out to use it just proves that it does indeed suck. It's not C and C++ fault that the developers of such cyber security systems didn't know how to use the language and just slapped together whatever it took to get the paycheck...
Exactly -- lousy coders do not become good by being given safer toys. If anything, this will result in even more bad code due to the perceived "safety".
@@rusi6219 Thank you. Perfectly Said!!!
What did the government say?
I cant hear them
Can they repeat?
I really cant hear what they are saying
What a nightmare
Hey, maybe the topic of the upcoming NIS2 directive might be interesting for you. It's not about secure software per se, but more so about secure systems and holding CEOs liable
"The US government promotes Rust."
Wtf I hate Rust now.
Rust will be a revolution. Like Ada was!
fortran is still here and wil lbe . c++ compiler enginers will fix that allows you to do bugs so your rust will not be revolution . cuz it forces you to do in the way it wants so idk if anyone in his mind will use rust . there's many memory safe langauges and far easier than rust
the thing i dislike most about rust is that its managed or whatever you like to call it by a single entity, i feel like with c thats kinda different, theres tons of c compilers out there which just makes it feel less commercial for some reason
@@tiranito2834??? The rust compiler is OS, obviously. There are alternative ones, there just isn't reason to use them yet. If there's ever issues with rustc obviously it will be forked and a new one will be the default compiler choice, if there's demand for it.
@@clairel34 Except you can't call it a Rust(TM) compiler without permission.
Erm.... if The White House says anything is good... my first thought is that it must be awful.