what's so safe about unsafe rust?

wanna learn how computers work? learn to code at lowlevel.academy (get 20% with offer code ARMASSEMBLY20)

Great video, and I'd like to reinforce your comments on the merits of unsafe rust. When we work on audits of rust code, we specifically look for unsafe rust first and give the most attention to that, because it is the most likely place for the serious issues within many open source rust projects.

Miri is *extremely* useful! when I was porting an existing C program, miri ended up catching multiple vulnerabilities that otherwise produced no noticeable side effects when running an existing test suite. Genuinely a gamechanger when writing unsafe code.

one thing I think you could have mentioned: Even when writing a good chunk of unsafe code in rust, the LSP rust-analyzer does a pretty good job of giving you a whole lot of warnings when you're trying to do the more "questionable" things you can do inside an unsafe block, it really is a powerful tool to avoid undefined behavior.

honestly, I am by far more concerned about supply chain attacks, which I feel like are more probable to be exploited, have a bigger impact and need less cognitive effort compared to memory vulnerabilities. The sheer amount of libraries used in rust due to user friendly cargo - compared to C/C++ is somewhat scary to me

Is it possible to have a useful system level lang where you can’t do anything unsafe? So couldn’t deref raw pointers, allocate mem on the heap, etc. I thought the rust unsafe keywords purpose was to create safe wrappers around inherently unsafe code like a vectors get method which is safe because even though it’s trying to read a pointer at any index, it returns None if it’s out of bounds creating a safe interface around a unsafe thing (reading a raw pointer at any index). I just don’t think it’s possible to have a truly 100% memory safe system lang

Since you mentioned you have never played with Miri, I'll take this opportunity to say that Miri immediately detects the use-after-free that cve-rs generates despite the fact that it's exploiting a compiler bug. :D

If anyone wants to do more reading on this, "Rust for Rustaceans" by Jon Gjengset has a fantastic section on unsafe Rust.
The rest of the book is also great!

From what I know, the windows crate is a gigantic crate in terms of code size, mostly since it's all generated from windows interface definitions, for all possible windows APIs you could think of (of which there are far more than of eg the linux kernel, since Windows APIs are concerned with more than just the kernel, and also Windows retains backward compatibility for far longer).
So yeah, combine that with it being fundamentally FFI calls with a C (like) ABI, it's not really that remarkable that it has the most uses of unsafe of all crates.

I took your advice on learning c then rust a while ago and it was a great decision, thanks for all the mega cool videos

Starts off implying that the 'unsafe' keyword stops the borrow checker. Hmm... OK the rest of the video turned out much better than that opening laid out.
Zig is my chosen language the past few months but I wouldn't classify it as a memory safe language in the same category as Rust, VM languages, and scripting languages. It's more memory safe out of the box than C, sure, but that's not the same thing.

"34.35% of crates make a direct function call into another crate that uses the unsafe keyword" - remember tokio has to use unsafe to make use of the context api which is necessary for async runtimes. Additionally, if you're doing anything with Pin, you pretty much have to use pin_project or something similar, which has unsafe under the hood as well.
BTW there is an interesting question of methodology: let's consider crate like pin_project: the crate itself just exports a macro and doesn't contain any unsafe code by itself, but the code the macro expands to does contain unsafe, how is it counted? Does the crate using pin_project contain unsafe according to this methodology?

15:42 why do you describe zig as a memory safe language (or a language that tastes like it's memory safe)? The first zig program I wrote segfaulted because I was careless with pointers. Is zig even in any way safer than C++? Both have tools to help guide you towards safer patterns, but neither compiler actually verifies that you use them correctly.
Don't get me wrong, zig is an excellent language and a huge upgrade safetywise over C, but clumping it with memory-safe languages is a stretch

Rust has more videos on TH-cam than actual lines of code working in production

I didn't know Sza was concerned with software safety, makes sense since she wrote ghost in the machine

The only reason you like Rust is the safety? Hmm...
I honestly don't care all that much about the whole safety thing. It's everything else I really like.
Sum types, blocks as expressions, traits, etc.
It's like the language was designed for me, I like (almost) everything about it. It also has all the features I've been wanting in other languages (most notably sum types and powerful pattern matching/destructuring)

You know what would be cool? If the OS running the executable could tell you which unsafe block it was in when something crashed, because the compiler left them all labeled and it tracks every time an unsafe block is entered

I'm not surprised at that number. Heck, I'm surprised it's not higher. Even syscalls are an FFI, so must be considered unsafe. I have a feeling that the Rust devs have "cheated" some with some of the basic syscalls, so that the number isn't closer to 100%.

If ever Rust "how to" didn't sound like a cult recruitment drive I'd be more likely to adopt it. The problem with "safe" C is that is not taught. 5:00 willing too bet that 90% of the 70% is not validating an external input.

How does rust work for microcontrollers? Writing to memory has inherent side effects that the compiler can't know about. It feels hard to have memory safe code if the memory goes and changes values when you aren't looking

100% "safe Rust" is not safe by any reasonable definition of the word "safe."

Miri is valgrind on steroids, it's an amazing tool

Yes its safe if you use it as intended.
I hate to be a pain but when was the last time you used any language as it was intended??? Its my humble opinion that the definition of safe and unsafe languages is irrelevant, when the devoloper writing the code is more unsafe than typhoid mary!

I mostly exist in high-level data wrangling land, but this channel has been extremely interesting to me. Thanks for breaking it all down for us!

*CVE-RS MENTIONED* 🗣️🔥🚀

The biggest problem with rust is the rust foundation.

Unsafe isn't actually unsafe.
My disappointment is immeasurable. and my day is ruined. I will now learn rust and use unsafe everywhere.
_I hope you're happy._

My bias is leaning towards zig. While still generally memory safe, it feels much more ergonomic than rust. But I can acknowledge that I should do some more bigger projects in rust to get a better idea. I think zig is the perfect bridge from c to the modern world

A lot of unsafe exists in mutable iterators, simply because borrow checker is too restrictive. A container that is otherwise 100% safe, would still require unsafe for a mutable iterator.

I'd love to see a discussion on modern c++, and how that counts as safe or not, or how to write safer c++

The MIRI tool is a must when writing unsafe. Unsafe rust is not C, it's harder because you need to uphold more invariants

I'd like to see how much rust isn't the external api type unsafe. Those external calls can eventually be made safe as more things are ported.

You know what's safe? "Hello World". Thread safe, memory safe and hack safe.

Gödel & Church strike again..

I have a unsafe macro in rust, and it's called trustme

Grammar nazi (if I'm actually right): I the opening you said 'and if that underpins Rusts security'. I think you meant to say undermines? AFAIK underpinning something is making it stronger.

Rust, not Zig, is the future of safe and reliable software? Dang it. I just started learning a bit of zig...

I dont think Rust is more difficult than C/C++, I think they are on the same level of difficulty, I think though that C/C++ is a more stable foundation to begin learning because of Rust's more "modern" features.

Most of the top crates use unsafe as that's the only way to get all the performance. As such most likely a lot of the code you use will have unsafe in the libraries used. And that's fine.

You should really put a timestamp for people who know what is the concept of Rust! Because the beginning of the video was so boring to me: I use Rust a lot so I just wanted your insight on the report!
good vid tho

0:00 “Rc causing memory leaks? Don’t worry, memory leaks are safe” - rust

You will have to pry Python out of my cold dead hands.

Who else is just waiting for Zig 1.0?

I wonder how much of unsafe rust is for embedded system calls.

How do you know someone uses Rust?
They tell you.

Do real Rust programmers have to rely on non-rust code much (C++ libs and other external code)? And, if so, how much and I presume this negates a decent amount of safety.
Edit: Just got to 12:50 or so and see this is particularly addressed. Sorry all.

I will never accept tha CISA/DISA statement on code safe languages, not because I don't think its an important point to make, but just because it feels like a such a buck pass for the overall security issues in both public and private infosec applications not just within US infrastructure but outside of it as well.

Run Cargo-Geiger on your favorite crate that has substantial dependencies. Rust still builds superior software and the abstractions possible in the syntax are extremely underrated (traits, blanket impls, macros etc) as a consideration for the languages value. Theres a lot to be done in language research and Rusts ambitions have definitely left some syntactic loose ends but having gone back and Forth from Rust to C etc. Rust is objectively better for what it sets out to accomplish.

what it does is give you a "standard" to follow when it comes to the question of memory
which is better than C which has no standards or principles or guidelines in regards to memory management

Miri is an amazing tool. They keep a ledger on their github of bugs that they have found in prominent crates.

rust std library also full of unsafe code. There’s no escaping unsafe even if you took away the c bindings

You need unsafe for things I consider fairly safe in rust - ie, casting a struct to a byte slice, even if the struct implements Copy.

I wonder how much Unsafe Rust is necessary for developing gamers on Windows, 'cause you need to use the Windows API often.

Sorry, but I will never give up the joy writing code in assembler. 😊

What do you think of the Ada programming language ? It provides a lot of tools for writing secure code too.

Name the one programming language for game, web, AI, OS, System design, App etc development and can C do it?

How do they make Linux API calls in a Linux crate without as many unsafe instances as the Windows crate?

I am a new Rust programmer. How would I do this if I wanted to be safe in Rust. I have one master thread. I have 1023 threads that churn out lots and lots of numbers. I have a global structure called status. Each thread can read the structure. When a value in that structure is set to finished, each thread returns all of it's work. Only the master thread is intended to change it. The other thread just watch it to see the system status.

Whats unsafe about rust? The users mental state after using it.

Don't know... Don't care! I already know enough software languages!!!

There was an error in this video: line 69 is always good code.

Rust is like a condom. When used as intended they are 99% safe

I think Zig is much better in stuff that people try to use Rust for xD

c isnt the problem
humans are the problem
we just prefer to externalize blame
accountability is the great filter
love your videos

unsafe = bad engineer or lazy developer who would rather use a package than write their own code (note difference between engineer and dev)

I'd Like to see a video on safety in Zig and how it fares compared to Rust.

Perhaps it's because I'm not pressured by a time crunch on my project but is it really that difficult to write safe C code? From my experience, writing safe C code wasn't hard at all. I know you make fun of it as a skill issue but it really seems like a skill issue. I see alot of brainlet devs write: `free(p); p = NULL;` and just repeat that instead of wrapping it into a function that will free the pointer and then set it to NULL. If you call `free` on a NULL, nothing will happen and is guaranteed to be safe. Even worse is when a brainlet doesn't write `p = NULL;` at the end. Memory management isn't that hard either. If you can help it, *don't* allocate heap memory. Also, keep a variable that tracks buffer sizes with every allocation so that you can prevent buffer overflows. Input validation isn't just a C issue but every language has to do it.

Thanks. I'm about to start learning Rust

SDR, Downgrade Attack (Changing LTE to GSM).
Attacker collects your device information? For what?
With Device ID can other attacks be performed? Push? Install? MITM apps? Keyloggers?
What is the worst that can happen?

Why bother to learn a new language ZIG, where there are no string only arrays defined as [u8], string manipulation function are verbose and clunky, and memory allocators are different paradym. Sure there error handling "try syntax" is good. The complier is your enemy. When we already have Rust, why bother with zig ? or Go if you want to stay high level

15:30 let's quote my professor regarding that: "Why do we use C? Because you need to learn how computers work. Once you are done here you can get yourself a job coding in Python, or C#, or any fancy language you want, but if you don't learn how computer memory and CPU cycles work, your code will be terrible."

I think the amount of Rust unsafe calls might decrease in the future if developers put an effort to rewrite those crates that use unsafe to make calls to foreign functions.
For example, I think most crates that deal with database connections, Vulkan API binding, OpenGL binding, device drivers etc are written in C/C++, not in Rust, so if these API bindings get re-written in Rust then this will reduce the amount of unsafe calls. 🤔

I'm thinking lately that my dream language would be something as simple of possible, like C with something like the built-in standard library of Python to back it up and perhaps some of its keywords (with, in and exceptions).

"not calling destructors is consider safe - because memory leakage is considered safe"
I am developing a python library and it's main dependency is another library that's basically python bindings for a rust backend via ffi.
Bug I run into tons of rust panics or hangs. And it's not trivially understood or even debugged. So I might need to really learn rust to fix some bugs up-up-up-upstream.
Some of my code is really awful because I am constantly cresting new descriptors and stuff because nothing seems to be reused, mutable or even just pointing correctly. But its graphics programming so the rules change quite a bit.

if rust has a million haters im one of them
if rust has 5 haters im one of them
if rust has 1 hater that one is me
if rust has no haters im no longer alive
if the world is against rust i support the entire world
til my last breath ill hate rust

Could you please cover cve-rs (a repo which contains some examples of how to corrupt memory in 100% safe Rust)? Would like to know how it works and how the Rust team will fix it.

unsafe { cope::seethe(mald); }

I feel like there's a similar mental reminder with requiring to explicitly define an unsafe block that happens when forcing to handle errors. By forcing developers to actively do something, it reminds us that something can go wrong.

Would the compiled unsafe code be distinct from safe code , would the compiled protective mechanisms or their absence give away a section of a program that is unsafe. You talked of when auditing sources for unsafe key word your attention would be raised, I wonder if possible detecting the absence of the safety mechanisms in compiled code would also possibly be a red flag to a hacker, "here is where to start looking".

It's like people still using raw pointers in C++ because the second you use smart pointers everything breaks because they are safer and then all of the horrible practices that had been used don't work... and people moan that they are not good enough and continue using raw pointers. At least rust forces you to specify you are about to break things

I love rust. The whole memory safety thing makes the compiler intimately familiar with your code so you get *correctness* for free. Correctness being how accurately the contacts you've defined operate by the rules you intend for them to follow.

hey! would it be possible to ask you to have a longer VOD where you write the mentioned HTTP server say in rust and then try to break. basically just like you mentioned. I think it would have a really great learning value ...for me at least :)

How much of the memory safety could be put into the C compiler like if there was a flag that would pause compilation and ask for confirmation when there something detectable like an allocation call without a free call? Obviously not the same as Rust, but if some safety could be imported as a harder version of a warning or a soft error (since it is still valid code, just bad code), maybe we could get some benefits in C or C++ as well.

Love your vidoes and the way cover topics. Have you looked into Dynamic Linking (or Shared libraries) in Rust? Would like to hear more opinions about this. Personally it would interest me to have such functionality.

I agree more with Jonathan Blow

There's another Undefined Behavior detection tool called Rudra, which the team used to detect UB and submit CVEs for numerous crates. It's based on a specific version of nightly Rust though, and needs some updating. It still works on crates that can be compiled with its Rust version

The most idiotic sentence is "Rust is not memory safe because we can write unsafe rust"
It's like saying nail cutter isn't safe because it can cut my toung

Started with Python. Studying C now using the Zig compiler to compile C code. Rust may have the spotlight but Zig is pretty awesome too and easy to work with.

Its called Rust because your ability to write decent code becomes incremntally rusty the more you code with Rust's training wheels

Are/would you consider adding Rust or Zig courses to the Low Level Academy in the future?

Married with Rust, i don't know, the Rust foundation still can take away my children?

she rust till i metal

10:20 "you know that line 69 is an issue" 😂

I still think the best motivation for learning a non-C language is when you wrote your umpteenth vector-like library and still find valgrind issues in it. The university I went to IMHO taught C the correct way. Any and all exercises had 10 tries, all of them had to compile without warnings and had to have zero valgrind issues. If you didn't pass in 10 tries, too bad, try again next year. I still remember some people literally bursting into tears while doing the exercises in a computer room.

Did that guy who farted in your comments the other day come back?

I'm addicted to exotic unsafe dispatch please send help.

My guess: not much because we've brought our own baggage and previously learned incompetence into it :D
Let's watch the video now, hope I am wrong!

I think you are downplaying the language spec bug with the lifetime allowing "safe" rust to access released memory. The problem of having even convoluted way is that it is not expected and probably not possible to catch in reviews, so determined malicious contributors can eventually hijack complex projects with high probability where nobody expects that. Also IMHO, it is not as convoluted to not appear in code just by accident, when even inexperienced programmers are forced to use one of the most tedious and hard to understand feature of the language.

That’s why I only code in Java.

I'm so sick of hearing about this ugly language with it's dumb name.
No offense, but it's not the future, and I'm actively taking bets on that. I bet that in 5 years Rust will be about as popular as BASIC.
And this whole memory safety issue... Like prior software heavy solutions devs used to have to write, will be solved with on-chip hardware solutions, like video compression and encryption was.