Memory Safe Languages in Android 13 (Google security blog)
As the amount of new memory-unsafe code entering Android has decreased, so too has the number of memory safety vulnerabilities. From 2019 to 2022 it has dropped from 76% down to 35% of Android’s total vulnerabilities. 2022 is the first year where memory safety vulnerabilities do not represent a majority of Android’s vulnerabilities.While correlation doesn’t necessarily mean causation, it’s interesting to note that the percent of vulnerabilities caused by memory safety issues seems to correlate rather closely with the development language that’s used for new code. This matches the expectations published in our blog post 2 years ago about the age of memory safety vulnerabilities and why our focus should be on new code, not rewriting existing components. Of course there may be other contributing factors or alternative explanations. However, the shift is a major departure from industry-wide trends that have persisted for more than a decade (and likely longer) despite substantial investments in improvements to memory unsafe languages.
(Thanks to Rahul Sundaram.)
(Log in to post comments)
"do not represent a majority of Android’s vulnerabilities"
Posted Dec 2, 2022 1:03 UTC (Fri) by gus3 (guest, #61103) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 6:24 UTC (Fri) by TheGopher (subscriber, #59256) [Link]
I'm surprised there isn't a breakdown of vulnerabilities per language, just an assumption of what's what. This would be more interesting.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 7:40 UTC (Fri) by roc (subscriber, #30627) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 10:48 UTC (Fri) by TheGopher (subscriber, #59256) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 12:13 UTC (Fri) by Sesse (subscriber, #53779) [Link]
Basically, Java and Rust both completely eradicate a certain class of errors that tends to create severe vulnerabilities, no matter what you choose to call that class.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 10:50 UTC (Fri) by TheGopher (subscriber, #59256) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 11:59 UTC (Fri) by khim (subscriber, #9252) [Link]
True, but WIkipedia, at least, says race condition is memory safety type of error.
Java clearly doesn't prevent race conditions (not even Rust does that, it only prevents data races, although safe Rust prevents concurrent reads/writes to shared memory which Wikipedia equated to data races), thus more clarification would be great.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 13:23 UTC (Fri) by atnot (subscriber, #124910) [Link]
> Race condition – concurrent reads/writes to shared memory
This definition is equivalent to what the article and rust land calls a "data race". It's not really worth arguing on vocabulary because there's not really any common agreement on what a lot of these terms mean or what their relation is, as the article points out.
The important thing is just that unlike some languages like C or Go, race conditions in safe java and rust can not cause language-level undefined behavior. They can only cause program-level unexpected or undesirable behavior.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 15:46 UTC (Fri) by marcH (subscriber, #57642) [Link]
I believe the work to create java.util.concurrent eventually prompted this:
https://en.wikipedia.org/wiki/Java_memory_model#Impact
> The Java memory model was the first attempt to provide a comprehensive memory model for a popular programming language.[6] It was justified by the increasing prevalence of concurrent and parallel systems, and the need to provide tools and technologies with clear semantics for such systems. Since then, the need for a memory model has been more widely accepted, with similar semantics being provided for languages such as C++.[7]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 18:41 UTC (Fri) by matthias (subscriber, #94967) [Link]
For java this should be true, but in rust, data races are undefined behavior. However, in safe rust, it is not possible to cause data races. Every reference in safe rust is either read only or unique.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 20:43 UTC (Fri) by atnot (subscriber, #124910) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 22:26 UTC (Fri) by riking (subscriber, #95706) [Link]
- Create a multi-producer, single consumer channel.
- Create two threads with different identities.
- Each thread sends its identity over the channel after it starts.
- Read the first value received from the channel and do something important with it.
The two threads race to be the first to deliver their value. An identical situation in Java is also easy to accomplish.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 12:02 UTC (Mon) by hmh (subscriber, #3838) [Link]
However, what _atnot_ described is known as "TOCTOU", and it is an extremely common race condition that is behind a lot of security vulnerabilities involving filesystems, for example. In this case, the program would be racing whatever else might be trying to manipulate that same filesystem resource. And it is extremely easy to screw this up in Rust just like it is in Java, C++, C, and most likely just about every other general purpose language.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 12:22 UTC (Mon) by khim (subscriber, #9252) [Link]
> And it is extremely easy to screw this up in Rust just like it is in Java, C++, C, and most likely just about every other general purpose language.No. It's possible to do in Rust, but it's not easy (let alone “extremely easy”). If both producer and consumer are in your program then Rust's type system would, usually, stop you (read here about how it does that).
Of course if you would add communication to external systems (use Unix pipes or network for communication between pieces of one program, for example) then all bets are off, but I wouldn't characterise such design as “extremely easy”. Rather I would characterise it as “elaborately created footgun”.
Yes, they are possible, but you have to work to create them.
P.S. And yes, people often complain bitterly about that property of Rust when they invent clever footguns and Rust says it doesn't want to accept these. Just look on how some people avoid race conditions. And weep.
P.S. Actually read the whole thread. Because guy there treats race condition precisely and exactly like other here treat UB: I tested, it worked in C#, why compiler couple make it work for me in Rust? O_PONIES
, O_PONIES
, and more O_PONIES
.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 16:07 UTC (Mon) by Wol (subscriber, #4433) [Link]
> No. It's possible to do in Rust, but it's not easy (let alone “extremely easy”). If both producer and consumer are in your program then Rust's type system would, usually, stop you (read here about how it does that).
Please. Stop. Engage. Brain. Before. Opening. Mouth.
You clearly don't understand what TOCTOU is (or, more likely, you forgot that was what we were discussing).
The problem is not preventing your program screwing it up. The problem is preventing an *external* *hostile* program taking advantage. If there is an easy way to prevent Rust from screwing *that* up, I'm sure many people will be all ears ... (Other than how I did it years ago in Fortran, files were configured NR&1W, everybody could open the file read-only, but to change it, you had to open it r/w, and then run the entire transaction from scratch.) Just because the Rust compiler blocks two threads in the same program messing up, doesn't mean it'll stop an unrelated trojan barging in on the party ...
Cheers,
Wol
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 17:22 UTC (Mon) by khim (subscriber, #9252) [Link]
> You clearly don't understand what TOCTOU is (or, more likely, you forgot that was what we were discussing).TOCTOU may happen inside of one program, too. In fact if we are talking about things like Linux kernel then most TOCTOUs which caused security problems, happened inside of kernel, not outside of it.
> Other than how I did it years ago in Fortran, files were configured NR&1W, everybody could open the file read-only, but to change it, you had to open it r/w, and then run the entire transaction from scratch.Today we have Rwlocks for that and you can [try to] upgrade reader lock to writer lock. But yes, Rust ensures more-or-less what you describe. Just on language level.
Yes, of course, by itself it's not a protection against external actors, but it greatly simplifies code which have to deal with external actors, too.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 18:13 UTC (Mon) by mathstuf (subscriber, #69389) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 19:15 UTC (Fri) by tialaramex (subscriber, #21167) [Link]
Our universe has race conditions, we're used to that. The illustration I like features a cat, we put the cat out the front door, we walk through the house, we close the kitchen door - but the cat might be back inside, because it can run around the house and back inside before we closed the kitchen door. If we don't want that we need to shut all other externals doors (and possibly windows) before putting the cat out.
Data races are much stranger and unlike our normal experience of the universe.
In Java data races are technically safe, but they destroy Sequential Consistency, which means it's very difficult for human programmers to reason correctly about the behaviour of concurrent software with races. Humans expect things to happen in some sort of order, maybe A happens before B, maybe B happens before A. You can write a list of possible orders. But without Sequential Consistency, perhaps A causes B, which then happens before A, very confusing. Better to let the ultra-low level concurrent CPU primitives people think about such things, not us mere mortals. Java offers almost the best possible case with loss of SC. All unaffected variables work as expected, and the raced variables are definitely valid, but their value may be astonishing, including both "before" and "after" the race. The value will always be a value they actually had, or would have at some point, but maybe seems out of place now. e.g. if you only store even numbers in foo, and you race it, foo won't ever be 35 or -7 or something. But it might now be 126 even though you expected the program to print "One Hundred!" before that happened.
In safe Rust data races can't happen.
In languages like C and C++ all data races are immediate Undefined Behaviour, all bets are off, please proceed calmly to the lifeboats
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 4, 2022 5:09 UTC (Sun) by NYKevin (subscriber, #129325) [Link]
Most of us are used to that. Some of us still haven't got the memo: https://bugs.openjdk.org/browse/JDK-4045688
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 1:38 UTC (Mon) by anton.kochkov (subscriber, #161204) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 5:47 UTC (Mon) by Fowl (subscriber, #65667) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 6, 2022 6:01 UTC (Tue) by TheGopher (subscriber, #59256) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 2, 2022 20:22 UTC (Fri) by FSMaxB (subscriber, #106415) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 3, 2022 11:10 UTC (Sat) by pawel44 (guest, #162008) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 3, 2022 16:04 UTC (Sat) by raven667 (subscriber, #5198) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 3, 2022 18:16 UTC (Sat) by mathstuf (subscriber, #69389) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 7:58 UTC (Mon) by pawel44 (guest, #162008) [Link]
Fixed this analogy for you.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 17:57 UTC (Mon) by mathstuf (subscriber, #69389) [Link]
- narrow scope
- single developer
- easily fits in said developer's head
Of course, that last part tends to fade away with time.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 19:37 UTC (Mon) by pawel44 (guest, #162008) [Link]
Regards.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 20:09 UTC (Mon) by mathstuf (subscriber, #69389) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 6, 2022 0:06 UTC (Tue) by atnot (subscriber, #124910) [Link]
It's not that they don't have the skills to make good products. It's just that you get further by launching more bad products into the shredder instead.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 6, 2022 2:41 UTC (Tue) by mathstuf (subscriber, #69389) [Link]
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 6, 2022 5:58 UTC (Tue) by marcH (subscriber, #57642) [Link]
This argument comes up regularly in discussions about memory safety despite overwhelming evidence.
I've always wondered what kind of fantasy workplaces can afford to do this. Does any exist for real?
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 16, 2022 3:31 UTC (Fri) by njs (subscriber, #40338) [Link]
Of course you can believe what you like, but the facts we have in front of us in this article are:
- Google made absolutely massive investments in C/C++ quality – sanitizers, fuzzing, language extensions, the MiraclePtr effort, ... – and they still shipped apps with lots of security (and other) bugs. All that stuff has benefits for sure, but none of it moved the needle on these metrics
- They started intentionally using Rust/Kotlin/etc in places where they had previously used C/C++, and this *did* reduce security (and presumably other) bugs.
At this point, arguments that C/C++ are fine if you're just careful/skilled enough are like believing that bad things never happen to good people. People only believe it because it makes them feel good, and let their emotions override objective data or rational judgement.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 8, 2022 4:33 UTC (Thu) by flussence (subscriber, #85566) [Link]
Languages performance
Posted Dec 3, 2022 21:33 UTC (Sat) by stephen.pollei (subscriber, #125364) [Link]
I found benchmark that places even slowest language at 25 times slower than c. rust is likely in same ballpark as c and c++. java, c#, go are likely within 3 times slower. At the moment, rust seems like it could be slower to develop in then a few other languages.
for a lot of projects, the performance of java, c#, and go are good enough. If they need faster then they'd have to choose between c, c++, zig, and rust. For rust, likely will be more difficult to find programmers skilled in it and likely will need to budget in more time for development.
There are other benchmarks that give slightly different answers on how much performance is lost. YMMV
Languages performance
Posted Dec 4, 2022 5:22 UTC (Sun) by NYKevin (subscriber, #129325) [Link]
This may be true. Beware of people making stronger statements than that. It is inherently difficult to empirically validate general claims about development time or effort. This is because of a combination of the Hawthorne effect (when people know they are being studied, they work harder), and various software-specific issues identified by Fred Brooks, most importantly the non-fungibility of developers and software projects.
Rust might be slower than other languages, ceteris paribus, or it might not, but real life is not ceteris paribus, and other confounding variables should also be considered. Use the language that best fits your requirements.
Languages performance
Posted Dec 4, 2022 7:22 UTC (Sun) by stephen.pollei (subscriber, #125364) [Link]
Yes, I'm conjecturing based on limited data. Using Rust at a startup: A cautionary tale by Matt Welsh and a few second-hand sources. Rust seems like an interesting language and I'm very ignorant about what it is like to actually use it. Even if it is slower to develop in and remains slower for certain projects, it still might make a lot of sense for many projects. Things certainly are not ceteris paribus; As developers gain experience with this new language, libraries and documentation mature then it will be a more even test.
Languages performance
Posted Dec 5, 2022 18:03 UTC (Mon) by mathstuf (subscriber, #69389) [Link]
- Rust is faster out of the gate (cargo beats autoconf, meson, CMake, etc. at getting the basics in order).
- C and C++ allow for quicker initial iteration because the compiler lets you get away with stuff while Rust requests more up-front design work.
- Once established (MVP or similar), the Rust project is likely to be faster as there is not a gamut of instrumented CI builds to wait on for every MR (to paper over gaps the compiler can't notify about).
- Maintenance is *way* better in Rust because I'm not tracking down memory problems in `gdb` or `valgrind` and instead dealing with (usually) structured errors and messages instead of random memory corruption.
So where Rust falls behind is a place that would help C and C++ projects *anyways* if it were done: a little more planning ahead about the overall terrain the project will apply to.
Languages performance
Posted Dec 4, 2022 7:47 UTC (Sun) by d4no0 (guest, #115694) [Link]
Languages performance
Posted Dec 4, 2022 13:14 UTC (Sun) by tialaramex (subscriber, #21167) [Link]
On the other hand Rust might very well be the correct choice to write a replacement for Apache httpd / nginx / IIS / etc. which are what I think about as a web server.
Languages performance
Posted Dec 4, 2022 20:29 UTC (Sun) by stephen.pollei (subscriber, #125364) [Link]
Yes, I read recently that CloudFlare is replacing many uses of nginx with something they are writing in rust.How we built Pingora, the proxy that connects Cloudflare to the Internet ; Cloudflare is moving away from NGINX | The Backend Engineering Show .
CloudFlare claims, "Having a developer friendly interface engineers are familiar with while eliminating the previous constraints allows us to develop more features, more quickly." . This is different than the other project that I referred to. They also seem to claim that it allowed them to do better multiprocessor optimizations realistically and thus be more performant in practice than other languages. It seems like there are a lot of interesting project happening with rust
Languages performance
Posted Dec 5, 2022 6:01 UTC (Mon) by ssmith32 (subscriber, #72404) [Link]
Hotspot claims notwithstanding, interpretation imposes a noticeable overhead, and GC, even the latest ones in java 17, still gets you with tail latencies. And in k8s, I've even seen the overhead from java running (relatively speaking) like molasses until most of the classes are loaded, impact how you provision autoscaling.
If it's two different engineers, with different skills (particularly if the first is gone, and the new one has less experience in the given domain), then, yeah, making a blanket statement like "rust will be faster" is questionable.
As far as maintainable, yeah, it's a curate's egg, that one. I love the Rust language, the language itself is reasonably mature, but the existing libraries / frameworks for web serving are very immature.
I like Java (although people abusing Optionals and Streams is getting tiresome, basically autocomplete encourages people to stop making methods, and just chain a bunch of fugly lambdas together, and Spring *sigh* I use it, but *sigh*, known bad practices, per the Spring engineers, are still endemic to Spring code), but the frameworks & libs are better than what Rust has.
Javascript is alright. Particularly in terms of ExpressJS being at pretty much the perfect level of abstraction for how I think. But even with async / await, callback hell persists. And nodejs can have impressive performance.. until it doesn't, and it's still overhead you won't have in Rust.
So, without context, if someone says "Rust will be faster".. hey, they might be right.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 15:31 UTC (Mon) by rgmoore (✭ supporter ✭, #75) [Link]
I think this is a crazy attitude. There are plenty of applications where performance is absolutely not everything, especially on mobile platforms that are the topic of the original blog post. It makes no sense at all to program in a low-level, memory unsafe language like C or C++ if the program is doing something so simple it can work fast enough using a memory safe language, or if it will limited by network latency even if written in something slower but safer.
Memory Safe Languages in Android 13 (Google security blog)
Posted Dec 5, 2022 19:38 UTC (Mon) by pawel44 (guest, #162008) [Link]