Comment by tptacek
5 years ago
We have 30 years of experience showing that ordinary heap overflows are not in fact easy to spot in code review, security review, security audits, and fuzzing. Each of those modalities eliminates a slice of the problem, and some of them --- manual review modalities --- will remove different slices every time they're applied; different test team, different bugs.
To me, this strongly suggests that the problem is in fact memory-unsafe languages, and not general engineering practices.
Apple, by the way, has all the things you're talking about in place, and in spades.
I agree that the problem is memory-unsafe languages.
You can improve the tools, or you can improve the human, and nobody has managed to improve the human despite decades of trying.
OTOH, we don't really have evidence to show that memory safety is effective in kernels/drivers because no memory safe language has ever been deployed at scale for that purpose.
The way I look at it is that relying exclusively on manual review is at best the same as relying on both manual review and a memory safe language.
In practice, the best case and average case rarely line up.
You don't have to manually review for classes of vulnerability that your programming environment forecloses on.
Good point - all the more reason to use a memory safe language!
> the problem is in fact memory-unsafe languages, and not general engineering practices.
Languages don't introduce bugs by themselves. Engineers produced those bugs.
I always thought that bugs are the programmers' fault, and not to blame the language. It's like blaming the English language because it allows you to misuse it and manufacture very offensive racial slurs, or to be rude and cruel, and thus we should replace it with another language that doesn't allow to exploit these weaknesses. We won't be able to express ourselves with beautifully (low-level) crafted poems anymore, but that's the price to pay.
There are inherent features of human languages that force you into weird issues. English for example has gender pronouns and that's why you see in profiles how you should approach someone. It's not like they want to add it, it's that they have to if it bothers them when people misuse them.
In Hungarian we don't have this problem at all, there's no concept of gender specific pronouns.