top | item 39131076

(no title)

> Carcinize existing C and C++ X.509 users.

This could be game-changing for a lot of open source software.

I spent years avoiding X.509 (and ASN.1, for that matter) in my designs because every time someone I trust poked it, a remotely exploitable bug fell out. Most often, it was a Denial of Service issue rather than Remote Code Execution. Moving to Rust would demonstrably improve the security of the entire Internet.

You might be tempted to ask, "What about BouncyCastle?" (or similar queries).

Sure, you're not overwriting the EIP in most Java X.509 bugs, but check the release notes for X.509 and ASN.1 mentions: https://www.bouncycastle.org/releasenotes.html

When I worked for Amazon, we disclosed a few X.509-related vulnerabilities to projects that we almost found by accident.

discuss

blibble|2 years ago

how would rust fix most of those issues?

they're logic bugs

woodruffw|2 years ago

The "classic" example of this is enums as sum types, rather than a thin wrapper over an integral type: Rust makes it possible to construct in invalid enum variant, whereas plenty of C logic bugs stem from taking untrusted user input and converting it into an enum variant.

My understanding is that Java doesn't allow this directly, but has adjacent historical deficiencies (e.g., not allowing exhaustive enumeration handling until recently).

tob_scott_a|2 years ago

woodruffw already wrote an excellent comment for this question: https://news.ycombinator.com/item?id=39131723

Rust isn't just memory-safety. The type system also coaxes developers towards eliminating some types of logic bugs.

Not all, granted, but it does move the needle.

otabdeveloper4|2 years ago

> Moving to Rust would ...

... do absolutely nothing to fix denial of service attacks.

woodruffw|2 years ago

I don't think this is true. Rust cannot prevent all possible forms of denial of service, but there are plenty of underlying DoS causes that Rust either outright eliminates (such as memory corruption without further control) or mitigates through stronger types.

A recent example of this is CVE-2024-0567 in GnuTLS: an invariant that otherwise would likely have been noticed at the type level is instead checked with an assert, leading to a remotely trigger-able DoS.

bagels|2 years ago

Exploiting a memory safety crash, leading to a downed service, is the first class of DOS that Rust can help with.

saurik|2 years ago

Nor the other myriad of logic and parsing bugs that led to incorrect behavior (more than just denial of service) in the Java library that was somehow not as good as Rust :/.

tob_scott_a|2 years ago

By itself? No.

The other details covered in the blog post, however, would absolutely do something to fix denial of service attacks.

To wit: x509-limbo