Replies: 19 comments
-
Hardware support? MPX in Intel SkylakeFrom What is memory safety? - The PL Enthusiast:
Intel MPX - Wikipedia citing "Intel Software Development Emulator". Intel. 2012-06-15:
Intel® Memory Protection Extensions (Intel® MPX) support in the GNU toolchain says it's deprecated, and Wikipedia goes on to say "In practice, there have been too many flaws discovered in the design for it to be useful, and support has been deprecated or removed from most compilers and operating systems." But it still looks interesting, to me. Wikipedia doesn't note the connection to capabilities. I wonder how similar it is to CHERI. |
Beta Was this translation helpful? Give feedback.
-
Executable: 1.5M2.7M for debug
Compiled C: 2,084KB
Dependencies: libc, libpthread onlyThe debug build also has some socket stuff but we no longer use that in production: #2216
strcpyI don't see any guarantee that |
Beta Was this translation helpful? Give feedback.
-
Good! Yes, please move to Agoric.
…On Wed, Jan 20, 2021 at 7:14 AM Dan Connolly ***@***.***> wrote:
@erights <https://github.com/erights> , you asked me how I'd go about
this... the question has been rattling around in my head and it's starting
to take shape... let me know if I should move this under the Agoric org.
during this early brainstorming stage. ...
--
Cheers,
--MarkM
|
Beta Was this translation helpful? Give feedback.
-
for reference, earlier discussions:
|
Beta Was this translation helpful? Give feedback.
-
splint looks somewhat promising... with a few annotations, it might be able to make a pretty good memory-safety argument. The defaults seem incompatible with the current XS idioms, but perhaps that could be addressed easily:
found while looking for CCured via SO clue. SAFECodeSAFECode: Enforcing Alias Analysis for Weakly Typed Languages https://news.ycombinator.com/item?id=17143237 [1705.07354] The Meaning of Memory Safety Checked C looks activeChecked C: Making C Safe by Extension - Microsoft Research https://github.com/Microsoft/checkedc 52d7a7f on Dec 18, 2020 https://github.com/Microsoft/checkedc-clang/releases 2020-07-31 2745f7d |
Beta Was this translation helpful? Give feedback.
-
fuzzingI played around with AFL tonight. This looks like the result of some fuzzing too: SEGV at /xs/sources/xsBigInt.c:1182 · Issue #485 · Moddable-OpenSource/moddable looking at other work by the reporter... and from there: p.s. cf https://github.com/wasmerio/wasmer/tree/master/fuzz |
Beta Was this translation helpful? Give feedback.
-
getters and setters vs. static analysis
-- Automated Analysis of Security-Critical JavaScript APIs |
Beta Was this translation helpful? Give feedback.
-
Yes. And JS has changed even more since that article was written. |
Beta Was this translation helpful? Give feedback.
-
to prevent escape from vat:
@erights wondered about in-vat mutual-suspicion boundaries:
p.s. browsing... Formalizing the LLVM Intermediate Representation for Verified Program Transformations setjmp / longjumpSupport for setjmp / longjmp · Issue #2625 · rust-lang/rfcs frama-C doesn't support it. |
Beta Was this translation helpful? Give feedback.
-
esmbc -- Efficient model checking with CI techniquesThis looks like a particularly good match for XS: Continuous Verification of Large Embedded Software using SMT-Based Bounded Model Checking The project is active; the maintainers responded to an issue within a day: esbmc/esbmc#355 (comment) Map2Check -- fuzzing and symbolic executionesbmc contributors overlap with https://github.com/hbgit/Map2Check , which combines fuzzing and symbolic execution. tried the release from late 2019; not promising:
nesCheck -- good performance on subset of Cadding "embedded" to our search terms turns up other interesting work... nesCheck is aimed at a constrained subset of C, but the results are interesting:
|
Beta Was this translation helpful? Give feedback.
-
I'm experimenting with coverity scan: https://scan.coverity.com/projects/dckc-moddable?tab=overview hmm... more involve than my first impression suggested. |
Beta Was this translation helpful? Give feedback.
-
discovered https://github.com/google/oss-fuzz by way of https://twitter.com/LazyFishBarrel today |
Beta Was this translation helpful? Give feedback.
-
https://github.com/trailofbits/manticore , a Symbolic execution tool, can analyze WebAssembly . I wonder if analysis of XS compiled to WASM would be fruitful. |
Beta Was this translation helpful? Give feedback.
-
tangentially related... (i.e. above the xsnap layer... or is it?) @erights writes:
|
Beta Was this translation helpful? Give feedback.
-
Another fuzzing expert is working on XS! Go @rain6851 ! Moddable-OpenSource/moddable#580 cc @erights |
Beta Was this translation helpful? Give feedback.
-
safety, metering via WASM?Crazy idea? Kill two birds with one stone by compiling xsnap to WASM:
|
Beta Was this translation helpful? Give feedback.
-
General information here
|
Beta Was this translation helpful? Give feedback.
-
We considered this option (ty Zaki for the detailed options). WRT metering, that means that the actual metering costs now derive the the entire tool chain of compilation of C to WASM, and the presents as a mysterious mapping to user-specified code. It ensures that nothing escapes the metering, but it would also make it difficult to have select things with custom metering (e.g., if we wanted to charge fixed costs for some class of crypto operations to not penalize multisig). WRT fail-stop memory-safety, we are already in position to have each vat run in a separate process, so WASM adds nothing there. It could conceivably provide stronger safety for multiple-vats within a single process, but for the cost of checking that taller tool chain, we could add other memory safety sanity checks. I would like to see XS or something like it directly in Rust someday :). |
Beta Was this translation helpful? Give feedback.
-
Yes, I thought of that soon after I posted the idea. Any change at the C layer would change metering results. |
Beta Was this translation helpful? Give feedback.
-
@erights , you asked me how I'd go about this... the question has been rattling around in my head and it's starting to take shape... let me know if I should move this under the Agoric org. during this early brainstorming stage.
cc @warner @dtribble @kriskowal
xsBeginHost
and such correctly?dump of open tabs:
types: pointer-types and scalars." -- Prof. Mathias Payer Spring 2017
Beta Was this translation helpful? Give feedback.
All reactions