On Thu, Jul 12, 2012 at 4:44 PM, Brendan Eich <bren...@mozilla.com> wrote:
> I'm more concerned about runtime bugs -- the usual free memory read during > a virtual call. Rust will have vtbls, IIRC, and it takes only one rooting > or refcounting bug to enable an attacker to reclaim the live object's vtbl. > At least, this has been the bane of browsers' existence for over seven > years. That's fair. In Midori Microsoft formally verified the GC, but CFI may have better cost/benefit. (Lower benefit, lower or at least different costs.) > I don't think adding levels of sandboxing or verification to Servo will >> be important anytime soon, though. Those are orthogonal problems that are >> only worth solving once we have a browser engine worth defending, and can >> be readily solved at that point. >> > > The topic already came up, and the NaCl issue was filed. I honestly don't > know when we should get into this level of Servo security, but "adding > Security later" is an anti-pattern. I don't believe we can use NaCl > targeting Pepper in Servo, for instance. Seems worth a discussion up front, > even if we defer. > You could use NaCl without the Pepper baggage. Is there any reason to believe that a CFI scheme for C++ could fail to work for Rust? Rob -- “You have heard that it was said, ‘Love your neighbor and hate your enemy.’ But I tell you, love your enemies and pray for those who persecute you, that you may be children of your Father in heaven. ... If you love those who love you, what reward will you get? Are not even the tax collectors doing that? And if you greet only your own people, what are you doing more than others?" [Matthew 5:43-47] _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
