What If We Pretended Unsafe Code Was Nice, And Then It Was?
Aria Beingessner
- programs need memory
- using memory is “bad”
- programs need memory
- using memory is “bad”
- make allocations abstract and first-class
- compilers make memory go away
- programs need memory
- using memory is “bad”
- make allocations abstract and first-class
- compilers make memory go away
- programmers do cute memory tricks
- compilers make programmers go away
- you love puzzles
- make a puzzle solving club!
- you love puzzles
- make a puzzle solving club!
- clubs need to have a treehouse!!
- you (pointer) love puzzles (state)
- make a puzzle solving club (allocation)!
- clubs need to have a treehouse (memory)!!
memory is slow
things can’t be done in-memory
- climb up
- grab two pieces
- climb down
- check for match
- climb up…
BAD
- why keep the puzzle up there?
- why keep the puzzle up there?
- take the puzzle home
- why keep the puzzle up there?
- take the puzzle home
- put it back when done?
- screw the treehouse! (skip allocation)
- harder puzzles
- bring a friend!
- same house
- (same function)
- no prob
- HARDer puzzles
ringer(&mut Puzz)
- take turns
- can still cache
- writeback before
- might caulk our puzzle!!!
- might caulk our puzzle!!!
- (memory corruption)
- might caulk our puzzle!!!
- (memory corruption)
- need SECURITY
- how?
- guard the club
- members only
- who’s a member?
- guard the club
- members only
- who’s a member?
- whoever a member invites!
- guard the club
- members only
- who’s a member?
- whoever a member invites!
- (provenance!!!)
- guard the club
- members only
- who’s a member?
- whoever a member invites!
- (provenance!!!)
- …but no friends
- …so just clones
- do we hire a guard?
- (dynamic checking)
- assume a guard?
- (static optimization)
- crimes are real
- want to catch bugs
- want to secure system
- Miri (software)
- CHERI (hardware)
- you can’t commit crimes, that’s illegal!
- guards are expensive!
- optimizations!!!
- rustc, swiftc, clang, gcc, …
- tracking clones is hard!
- what happens when clones escape?
- who is this mysterious stranger!?
- function-local
- easy to escape
- function-local
- easy to escape
- can see it happen (exposing)
- function-local
- easy to escape
- can see it happen (exposing)
- assume the worst
- strangers!
- can also see them happen
- strangers!
- can also see them happen
- assume they are biohazard clones
- strangers!
- can also see them happen
- assume they are biohazard clones
- BIOHAZARD MEGACLUB
- back to naive
- whole program, dynamic
- pointers hold ids
- ids checked on access
- no escaping!
- whole program(???), dynamic
- pointers hold ids
- ids checked on access
- no escaping(???)
- whole RUST code, dynamic
- pointers hold ids
- ids checked on access IN RUST
- FFI escaping!
- native incompatible
- can shim known APIs
- will crash in general!
- CONQUER WORLD
- I am become native
- no escape
- perfect tracking!!!
- CONQUER WORLD
- I am become native
- no escape
- perfect tracking!!!
- …except time travel
- no one left in the club
- free that allocation!
- no one left in the club
- free that allocation!
- tree grows back
- (and catches fire)
- is this the same club?
- no one left in the club
- free that allocation!
- tree grows back
- (and catches fire)
- is this the same club?
- can old clones enter?
- no one left in the club
- free that allocation!
- tree grows back
- (and catches fire)
- is this the same club?
- can old clones enter?
- NO!!!!!!
- (USE AFTER FREE)
- spatial (address)
- temporal (allocation)
- spatial (address)
- temporal (allocation)
- fractal??
- processes! allocators! borrows!
- kernel => malloc => slice => subslice
- become energy (integer)
- become flesh
- become energy (integer)
- become flesh
- still have membership?
- how would we know??
- mostly spatial
- biohazard protocols
- mostly spatial
- biohazard protocols
ptr -> int exposes
- mostly spatial
- biohazard protocols
ptr -> int exposesint -> ptr exposed
- mostly spatial
- biohazard protocols
ptr -> int exposesint -> ptr exposed- llvm doesn’t do this properly 😭
- what int is it?
- address?
- bits of pointer?
- what int is it?
- address?
- bits of pointer?
- what membership does it get?
- model address exposing?
- hittest exposed addresses?
- model address exposing?
- hittest exposed addresses?
- use-after-free-via-transcendence!
- model address exposing?
- hittest exposed addresses?
- use-after-free-via-transcendence!
- CHERI pointers have more bits!
- member vouches
- copy membership
- proves you knew where you were
- require sponsorship!
- that’s it!
- old stuff works the same
- new stuff more precise
- BAD:
addr as *const T
- GOOD:
sponsor_ptr.with_addr(addr)
- BAD:
ptr as usize
- GOOD:
ptr.expose_addr()
- GREAT:
ptr.addr()
- UNCLEAR:
some_int as *const T
- HONEST:
ptr::invalid(addr)
- HONEST:
ptr::from_exposed_addr(addr)
ptr.is_aligned()ptr.is_aligned_to(align)ptr.byte_offset(offset)AtomicPtr::fetch_or(mask)
- sptr: strict provenance ptr polyfill
- docs.rs/sptr