alilleybrinker

davidho, 1 month ago to random

I was at a conference and a speaker dismissed my question by saying that I should check out the work of David Ho. 😵‍💫

cjk, 2 months ago to rust

deleted_by_author

alilleybrinker, 2 months ago to random

The new "xz" supply chain attack has some common patterns:

• Split attack commits into "seed" commit and "activation" commit.
• Compromise trusted user account to make malicious contribution (easier than fooling trusted users as a new contributor, or gaining trust first through non-malicious contributions)
• Include portion of the attack in the release artifact but not the source repo

All of these make detection harder.

alilleybrinker, 2 months ago to random

Thanks @oxidecomputer for pointing me to Nicholas Carlini’s obfuscated C code contest winning submission that uses printf with %n. It’s enlightening to read! https://www.ioccc.org/2020/carlini/index.html

alilleybrinker, 2 months ago to rust

Herb Sutter, chair of the ISO C++ Committee, has a new deep dive on improving safety in C++.

I’m glad to see the C++ leadership taking this seriously. This is a more level-headed and serious take than those I’ve seen previously.

https://herbsutter.com/2024/03/11/safety-in-context/

#rust #rustlang #cpp

janriemer, 3 months ago to random

Today I've almost overslept, because my alarm clock didn't go off.

Wanna know why? Just look at today's date...🤦

#Bug #Bugs #LeapYear

alilleybrinker, 3 months ago to random

All I want is to write software which errors out on leap days saying "ILLEGAL DAY DETECTED. THIS INCIDENT WILL BE REPORTED."

alilleybrinker, 3 months ago to rust

Kneejerk reactions to the White House announcement on memory safety have been to declare "WHITE HOUSE MADE C ILLEGAL" or something similar.

I don't think policymakers expect C or C++ can or should be fully eliminated. There are serious risks associated with rewriting existing code.

Rather, instances of memory unsafe languages will likely have to explain how they mitigate risk with techniques like testing, sandboxing, and formal methods.

#rust #memorysafety

alilleybrinker, 4 months ago to rust

This glibc qsort vulnerability is indicative of Rust's different safety culture vs. C.

The Rustonomicon discusses how unsafe code can never assume safe code behaves correctly. It gives the example of an incorrect Ord implementation and explains how unsafe code MUST be safe even in that case.

In this C code, qsort allows out-of-bounds read if passed a non-transitive comparison function and a large array to sort, exactly the same case.

https://www.openwall.com/lists/oss-security/2024/01/30/7

#rust #rustlang

alilleybrinker, 4 months ago to rust

David Benjamin’s article on the differences between C, C++, and Rust representations of slices raises the issue that it’s unsound to just share the pointer/length pair across C or C++ into Rust.

Good news (I think) is that Rust’s backcompat policy has an exception for soundness fixes. Changing the slice definition for empty slices should, AIUI, actually make more code correct. So hopefully the Rust project is open to it.

https://davidben.net/2024/01/15/empty-slices.html

#rust #rustlang

alilleybrinker, 4 months ago to rust

I really appreciate Rust having a standard way to write docs (rustdoc) and a standard platform for hosting docs for public packages (docs.rs) when I go to an ecosystem without those things #rust #rustlang

kurtseifried, 5 months ago to random

To put it bluntly: barcodes are a miracle and underappreciated.

Software package identifiers are much harder, which is probably why everyone complains about every existing solution to some degree because they are all. in fact. not great. Because it's a really hard problem. Find out with @kurtseifried and @joshbressers on the #osspodcast https://opensourcesecurity.io/2024/01/07/episode-410-package-identifiers-are-really-hard/

TL;DR: CISA did a REALLY Interesting thought experiment about 4 possible outcomes and you should probably read the paper they produced talking about them.

P.S. I wish I could @cisa

alilleybrinker, 5 months ago to rust

pathbuf version 1.0.0 has been released!

This is a simple crate providing a vec-like macro for constructing PathBufs in Rust!

https://docs.rs/pathbuf/latest/pathbuf/

#rust #rustlang

alilleybrinker, 6 months ago to rust

lol, a group of unnamed “C++ senior members with decades [of] experience in ISO C++” filed a response to the federal RFI on open source software security and it is ridiculous.

https://www.regulations.gov/comment/ONCD-2023-0002-0020

#rust #rustlang

sgued, 6 months ago to rust

🦀 #Rust

What does this do?

Vote below 👇!

#Rustlang #RustQuiz

alilleybrinker, 11 months ago to random

Today’s cursed compiler term: sequence point. https://twitter.com/__phantomderp/status/1674460956632526865