----- Original Message ----- > On Thu, Jul 12, 2012 at 4:44 PM, Brendan Eich <bren...@mozilla.com> > wrote: > > > I'm more concerned about runtime bugs -- the usual free memory read > > during a virtual call. Rust will have vtbls, IIRC, and it takes only one > > rooting or refcounting bug to enable an attacker to reclaim the live > > object's vtbl. > > At least, this has been the bane of browsers' existence for over > > seven years. > > > That's fair. In Midori Microsoft formally verified the GC, but CFI > may have > better cost/benefit. (Lower benefit, lower or at least different > costs.)
The part of MS's Singularity work that most closely corresponds to SFI/CFI is their use of a type-preserving compiler for C# [1]. This, combined with a formal verification of their garbage collector, give them strong guarantees about the entire system. It is, of course, also possible to assume that the GC matches some particular specification and go from there, so dying on the hill of GC verification is not required. Rooting is included in this specification of mutator behavior. Type preserving compilers are pretty great, because you can spot a large number of compiler bugs without even running the program you've compiled, but due to the very new nature of Rust and the use of LLVM as the backend it seems unsuitable for Rust. Andrew [1] Type-Preserving Compilation for Large-Scale Optimizing Object-Oriented Compilers. Juan Chen, Chris Hawblitzel, Frances Perry, Mike Emmi, Jeremy Condit, Derrick Coetzee, and Polyvios Pratikakis. http://research.microsoft.com/apps/pubs/default.aspx?id=63653 _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
