Robert O'Callahan wrote:
On Thu, Jul 12, 2012 at 4:44 PM, Brendan Eich <bren...@mozilla.com
<mailto:bren...@mozilla.com>> wrote:
I'm more concerned about runtime bugs -- the usual free memory
read during a virtual call. Rust will have vtbls, IIRC, and it
takes only one rooting or refcounting bug to enable an attacker to
reclaim the live object's vtbl.
Really, reclaim the "live" object and pun its vtbl. In JS before Data
Execute Protection (to use Windows jargon) you could even use a JS
string allocation to do this, where the string chars contained x86 insns.
At least, this has been the bane of browsers' existence for over
seven years.
That's fair. In Midori Microsoft formally verified the GC, but CFI may
have better cost/benefit. (Lower benefit, lower or at least different
costs.)
I suspect so, unless someone has a verification plan for Rust's GC ;-).
You could use NaCl without the Pepper baggage.
How does this work? NaCl has its own libc and all the usual. I haven't
had time to play with it, but in a browser instead of Unix system calls,
it bottoms out in Pepper.
Is there any reason to believe that a CFI scheme for C++ could fail to
work for Rust?
None that I know of. There could be subtleties.
I'm stirring the pot mainly in case there's interesting research-intern
work here (sounds like there may be! I didn't know devd till tonight),
and to scout ahead a bit. No rush, though.
/be
_______________________________________________
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo
