Re: [dev-servo] State of Servo

2012-07-11 Thread Brendan Eich
Robert O'Callahan wrote: On Thu, Jul 12, 2012 at 4:44 PM, Brendan Eich > wrote: I'm more concerned about runtime bugs -- the usual free memory read during a virtual call. Rust will have vtbls, IIRC, and it takes only one rooting or refcounting bug to enabl

Re: [dev-servo] State of Servo

2012-07-11 Thread Brendan Eich
Brendan Eich wrote: Google Native Client [2] is a leading CFI-enforcing compiler and runtime system. Anyone know of better? MSR had Xax [3] but it seems defunct. devd (Devdatta Akhawe, whom I had not met yet) on #developers corrected me: NaCl does SFI, not CFI. SFI goes way back, R. Wahbe,

Re: [dev-servo] State of Servo

2012-07-11 Thread Robert O'Callahan
On Thu, Jul 12, 2012 at 4:44 PM, Brendan Eich wrote: > I'm more concerned about runtime bugs -- the usual free memory read during > a virtual call. Rust will have vtbls, IIRC, and it takes only one rooting > or refcounting bug to enable an attacker to reclaim the live object's vtbl. > At least, t

Re: [dev-servo] State of Servo

2012-07-11 Thread Brendan Eich
Robert O'Callahan wrote: On Thu, Jul 12, 2012 at 7:08 AM, Brendan Eich > wrote: Unsafe native code is one issue, but bugs in the smaller TCB of the Rust compiler and runtime that compromise CFI could still be exploited, fully in our experience in Firefox a

Re: [dev-servo] State of Servo

2012-07-11 Thread Robert O'Callahan
On Thu, Jul 12, 2012 at 7:08 AM, Brendan Eich wrote: > Unsafe native code is one issue, but bugs in the smaller TCB of the Rust > compiler and runtime that compromise CFI could still be exploited, fully in > our experience in Firefox and other Gecko/SpiderMonkey-based apps. > > So I wonder whethe

Re: [dev-servo] State of Servo

2012-07-11 Thread Brendan Eich
Patrick Walton wrote: On 7/11/12 10:09 AM, Ian Melven wrote: Also, in general, i'm pretty curious about Servo's process model and its security architecture, maybe that's best discussed in a new thread though (I really need to take some time to understand Rust better as well). My particular inte

Re: [dev-servo] State of Servo

2012-07-11 Thread Patrick Walton
On 7/11/12 10:09 AM, Ian Melven wrote: Also, in general, i'm pretty curious about Servo's process model and its security architecture, maybe that's best discussed in a new thread though (I really need to take some time to understand Rust better as well). My particular interest is in how Servo

Re: [dev-servo] State of Servo

2012-07-11 Thread Ian Melven
Hi, just joined the list and making a small note in reply to this thread : On Wednesday, June 27, 2012 7:19:13 PM UTC-7, Boris Zbarsky wrote: > On 6/27/12 6:49 PM, Robert O'Callahan wrote: >> and CSP can't actually dynamically change the origin of a >> document, can they? If they can we'd bet