Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adds initial draft of memory safety continuum #20

Merged
merged 9 commits into from
Apr 19, 2024

Conversation

nellshamrell
Copy link
Contributor

This is a very, very early draft (more of an extended outline) exploring the idea of a memory safety continuum. Feedback is most welcome!

@@ -0,0 +1,66 @@
# Memory Safety Continuum
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this should merge into the definitions.md, since it extends upon the notions in that and that way we would have a sharable, unified artifact that defines memory-safety?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly - though I'd like to keep it in a separate doc until we further discuss and refine the idea of the continuum.


## FAQ

### Why do you rank using automated tooling higher than just using developer best practices?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is great!

* Using a non-memory safe by default language with developer best practices and automated tooling to check for memory safety
* Using a memory safe by default language (such as Rust, Go, Python, Java, JavaScript, C#) without developer best practices and automated tooling
* Using a memory safe by default language with developer best practices
* Using a memory safe by default language with developer best practices and automated tooling
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wonder if we should consider cases such as:

  • using memory safe by default language that depends upon unsafe language (i.e. through the use of external/foreign functions, or with Ptyhon extensions)
  • using memory safe by default languages which runtime was built with/without developer best practices and automated tooling (an edge case, but one that may exist, specifically in OT/edge/proprietary devices)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about when you disable the memory safeties (in languages like Rust, Ada, and C#, where that's possible)? If there's a small amount (say, a few dozen lines or under 0.1%) that's probably fine. If you have a large package that disables safeties, it's really just a memory-unsafe language & should be treated that way.

If you formally prove a program has no memory safety issues (as opposed to using a typical SAST) tool, then I'd say you are using a memory-safe language (even if it's C). Of course, the number of programs (like seL4) where that true is small, but it is a possibility.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good points - I've added content about them in the FAQs.


## What is Memory Safety?

Rather than using terms like "Memory Safe Language" and "Memory Unsafe Language", this SIG prefers the terms "memory safe by default" and "non-memory safe by default". Please see our [useful definitions](definitions.md) file for more information about memory safety and undefined behavior.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this!

@jduck
Copy link

jduck commented Feb 22, 2024

Just to have a data point pinned to this PR, I shared in the call today that I think a continuum should focus more on adoption (amount of safe-by-default lang code vs unsafe-by-default) and commitment (no new code in unsafe-by-default langs) than it should on best practices/automated tooling.

See my comments on ossf/scorecard#3736 for more of my thoughts on tools and process, what we actually care about with them, and how they relate to memory safety initiatives.

* [Using attributes such as `cleanup` and classes when writing C](https://lwn.net/Articles/934679/) (and depending on developers to manually check this)
* Following the [C++ Core Guidelines](https://github.com/isocpp/CppCoreGuidelines) when writing C++
* Using the [C++ Compiler Hardening Guide](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Compiler-Hardening-Guides) when compiling C++ code

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about? :

Isolating code that processes un-trusted data from code that performs direct memory management operations or uses raw pointers (See: https://langsec.org)


### Using a memory safe by default language with developer best practices and automated tooling to check for memory safety in first party code AND third party code

TO DO

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fuzzing components (including third-party code) that parse un-trusted data is a good way to find "low-hanging fruit" when auditing third party code is not feasible.
(One popular fuzzer is AFL++.)

@nellshamrell , I think if I were to say much more than this, it would make sense to stick it in its own file in /docs... should I have a go and make a PR?

@nellshamrell
Copy link
Contributor Author

nellshamrell commented Apr 2, 2024

Hi @jduck - after a lot of things happened, I'm finally coming back to this. I'd like to focus this pull request to the continuum on understanding where you are (speaking to a dev or an engineering manager) with re: to memory safety. I could see a future pull request focusing on how to get to a better state (where we could consider things like percentage of code in memory safe by default, percentage of code in non-memory safe by default, etc.).

I will note the focus on understanding where you are in the draft.

@nellshamrell nellshamrell reopened this Apr 2, 2024
Signed-off-by: Nell Shamrell <[email protected]>
@nellshamrell
Copy link
Contributor Author

Got a couple of 👍 in our Slack channel when I asked about merging this. Going ahead and doing so.

@nellshamrell nellshamrell merged commit 7af6645 into ossf:main Apr 19, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants