trust me
play

Trust Me An exploration of @trusted code in D Steven Schveigho ff er - PowerPoint PPT Presentation

Nov 03, 2022 •337 likes •858 views

Trust Me An exploration of @trusted code in D Steven Schveigho ff er - DConf Online 2020 Code: https://github.com/schveiguy/dconf2020 Memory Safety! Memory Safety Real Problems Source:

  1. Trust Me An exploration of @trusted code in D Steven Schveigho ff er - DConf Online 2020 Code: https://github.com/schveiguy/dconf2020

  2. Memory Safety!

  3. Memory Safety Real Problems Source: https://www.techzine.eu/news/security/46924/chrome-70-percent-of-vulnerabilities-are-caused-by-memory-issues/ “Developers using C and C++ have full control over how they manage an app’s memory pointers, but these programming languages do not have the capabilities to alert developers when they’re making memory management errors.”

  4. Memory Safety Real Problems Source: https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/ “[Because] Windows has been written mostly in C and C++, two "memory-unsafe" programming languages that allow developers fine-grained control of the memory addresses where their code can be executed. One slip-up in the developers' memory management code can lead to a slew of memory safety errors that attackers can exploit with dangerous and intrusive consequences --such as remote code execution or elevation of privilege flaws.”

  5. Memory Safety What does “Memory Safe” mean? Walter Bright (DConf 2017): “I believe memory safety will kill C” (Scott Meyers: “Wow.”) • Memory safety violations consist of: • Accessing memory you should NOT have access to (e.g. bu ff er overflow) • Treating memory that is a scalar type as a pointer type • Dangling pointers

  6. Memory Safety D’s @safe implementation • A @safe function: • Cannot do pointer math or indexing • Cannot access array elements out of bounds • Cannot use scalar data re-interpreted as a pointer (i.e. casting or unions) • Cannot change mutability type constructors (e.g. immutable -> mutable) • Cannot access __gshared data • Cannot take the address of a local variable • Cannot declare uninitialized pointers • Cannot call @system functions

  7. Unsafety is sexy Most interesting things are not @safe • Most interesting part of computer programming: i/o! • A hello world program cannot be fully @safe — it must use @system calls to print to the screen. • We all want to be dangerous rebels! It’s in our code! @system @safe

  8. Trust Me

  9. Trust Me @trusted functions bridge the gap • Posix write function is not @safe : extern(C) @system ssize_t write(int fd, const scope void* buf, size_t numBytes); • But we can wrap it in a @safe D function: @trusted ssize_t safeWrite(int fd, const void[] buf) { return write(fd, buf.ptr, buf.length); } • We can use our knowledge of the POSIX API to prove that this call is safe to use from a @safe function.

  10. The Benefit of @trusted Limiting the review • @trusted allows calling @system functions. • But the true benefit is being able to limit what code needs to be checked by hand. • If @trusted functions and APIs are written correctly, then there should be no reason to check @safe code. • This is accomplished by manually verifying the code in @trusted functions does not violate memory safety rules

  11. Tagged Union Writing a @safe union of any two types • Tagged unions are a pairing of a union with a tag to identify the valid member. • If written properly, tagged unions can be considered memory-safe • But we want the compiler to help us!

  12. Tagged Union Issue 20655 (https://issues.dlang.org/show_bug.cgi?id=20655) • Templates should infer @safe or @system • [REG: 2.072] attribute inference accepts unsafe union access as @safe • Explicit @safe / @system tags in implementation (shouldn’t be necessary)

  13. Implementation part 1 code: https://github.com/schveiguy/dconf2020/blob/master/taggedunion1.d module taggedunion; import std.exception; struct Tagged(T1, T2) { private union Values { T1 t1; T2 t2; } private { Values values; bool tag; enum useT1 = false; enum useT2 = true; } this(T1 t1) { values.t1 = t1; tag = useT1; } this(T2 t2) { values.t2 = t2; tag = useT2; } ... }

  14. Implementation part 1 code: https://github.com/schveiguy/dconf2020/blob/master/taggedunion1.d module taggedunion; import std.exception; struct Tagged(T1, T2) { ... void opAssign(T1 t1) { if(tag == useT2) destroy(values.t2); values.t1 = t1; tag = useT1; } void opAssign(T2 t2) { if(tag == useT1) destroy(values.t1); values.t2 = t2; tag = useT2; } ... }

  15. Implementation part 1 code: https://github.com/schveiguy/dconf2020/blob/master/taggedunion1.d module taggedunion; struct Tagged(T1, T2) { ... ~this() { if(tag == useT2) destroy(values.t2); else destroy(values.t1); } ref get(T)() if (is(T == T1) || is(T == T2)) { import std.exception : enforce; enforce((tag == useT2) == is(T == T2), "attempt to get wrong type from tagged union of " ~ T1.stringof ~ ", " ~ T2.stringof); static if(is(T == T2)) return values.t2; else return values.t1; } }

  16. Implementation part 1 code: https://github.com/schveiguy/dconf2020/blob/master/taggedunion1.d module taggedunion; struct Tagged(T1, T2) { ... } // not @safe yet unittest { import std.exception : assertThrown; alias TU = Tagged!(int, int *); auto tu = TU(1); assert(tu.get!int == 1); assertThrown(tu.get!(int *)); int *x = new int(1); tu = x; assert(tu.get!(int *) == x); assertThrown(tu.get!int); } Let’s run it! % rdmd -main -unittest taggedunion1.d 1 modules passed unittests

  17. Is it @safe?

  18. Safety of Tagged is it @safe ? • Using Tagged cannot result in a memory violation. • No access to memory we don’t own • No treating scalars as pointers • No dangling pointers • Very similar to memory allocation.

  19. Compiler: “not safe!” code: https://github.com/schveiguy/dconf2020/blob/master/taggedunion2.d @safe unittest { ... } % rdmd -main -unittest taggedunion2.d taggedunion2.d(59): Error: @ safe function taggedunion . __unittest_L56_C7 cannot call @ system destructor taggedunion . Tagged ! ( int , int *). Tagged .~ this taggedunion2.d(38): taggedunion . Tagged !( int , int *). Tagged .~ this is declared here taggedunion2.d(59): Error: @ safe function taggedunion . __unittest_L56_C7 cannot call @ system destructor taggedunion . Tagged ! ( int , int *). Tagged .~ this taggedunion2.d(38): taggedunion . Tagged !( int , int *). Tagged .~ this is declared here taggedunion2.d(60): Error: @ safe function taggedunion . __unittest_L56_C7 cannot call @ system function taggedunion . Tagged ! ( int , int *). Tagged . get ! int . get taggedunion2.d(45): taggedunion . Tagged !( int , int *). Tagged . get ! int . get is declared here taggedunion2.d(61): Error: @ safe function taggedunion . __unittest_L56_C7 cannot call @ system function taggedunion . Tagged ! ( int , int *). Tagged . get !( int *). get taggedunion2.d(45): taggedunion . Tagged !( int , int *). Tagged . get !( int *). get is declared here taggedunion2.d(63): Error: @ safe function taggedunion . __unittest_L56_C7 cannot call @ system function taggedunion . Tagged ! ( int , int *). Tagged . opAssign taggedunion2.d(31): taggedunion . Tagged !( int , int *). Tagged . opAssign is declared here taggedunion2.d(64): Error: @ safe function taggedunion . __unittest_L56_C7 cannot call @ system function taggedunion . Tagged ! ( int , int *). Tagged . get !( int *). get taggedunion2.d(45): taggedunion . Tagged !( int , int *). Tagged . get !( int *). get is declared here taggedunion2.d(65): Error: @ safe function taggedunion . __unittest_L56_C7 cannot call @ system function taggedunion . Tagged ! ( int , int *). Tagged . get ! int . get taggedunion2.d(45): taggedunion . Tagged !( int , int *). Tagged . get ! int . get is declared here

  20. Compiler: “not safe!” code: https://github.com/schveiguy/dconf2020/blob/master/taggedunion2.d • Because every function’s safety is inferred, instead of seeing the actual part that makes the code unsafe, you see just the “cannot call @system function” error messages • Use explicit @safe tags to further diagnose those errors.

  21. Compiler: “not safe!” code: https://github.com/schveiguy/dconf2020/blob/master/taggedunion3.d struct Tagged(T1, T2) { @safe: ... } taggedunion3.d(20): Error: field Values . t2 cannot access pointers in @ safe code that overlap other fields taggedunion3.d(26): Error: field Values . t2 cannot access pointers in @ safe code that overlap other fields taggedunion3.d(34): Error: field Values . t2 cannot access pointers in @ safe code that overlap other fields taggedunion3.d(40): Error: field Values . t2 cannot access pointers in @ safe code that overlap other fields taggedunion3.d(58): Error: template instance taggedunion . Tagged !( int , int *) error instantiating

  22. Compiler: “not safe!” code: https://github.com/schveiguy/dconf2020/blob/master/taggedunion3.d • As expected, all the problems stem from accessing the union pointer member that overlaps the non-pointer member. • However, our tag tells us which one is valid. So we can mark @trusted the portions of the code that determine which value is valid, and provide a reference to that value.

  23. Extract trusted portions code: https://github.com/schveiguy/dconf2020/blob/master/taggedunion4.d struct Tagged(T1, T2) { ... @trusted private ref accessValue(bool expectedTag)() { import std.exception; enforce(tag == expectedTag, "attempt to get wrong type from tagged union of " ~ T1.stringof ~ ", " ~ T2.stringof); static if(expectedTag == useT2) return values.t2; else return values.t1; } @trusted private void setTag(bool newTag) { if(tag != newTag) { if(tag == useT2) destroy(values.t2); else destroy(values.t1); } tag = newTag; } ... }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides
NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For ACM CCS I ndustry/ Govt Track Oct. 26, 2004 Carl Landwehr ( clandweh@nsf.gov ) Cyber Trust Coordinator National Science Foundation What s the

439 views • 17 slides
Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization creates opportunities and risks Page 2 And its common truth We cant expect people to actively support the digital transformation if we cannot

499 views • 11 slides
The Economics of Trust in Organisations Trust Trust is the voluntary acceptance of vulnerability

The Economics of Trust in Organisations Trust Trust is the voluntary acceptance of vulnerability

The Economics of Trust in Organisations Trust Trust is the voluntary acceptance of vulnerability based upon positive expectations of the intention or behaviour of another. Key components of TRUST include (1) the recognition of vulnerability

471 views • 13 slides
Gods stories Gods stories Trust Trust To Rely Upon Something Totally Trust trust:

Gods stories Gods stories Trust Trust To Rely Upon Something Totally Trust trust:

Gods stories Gods stories Trust Trust To Rely Upon Something Totally Trust trust: confidence in, or an assured reliance on, the character, integrity, ability, strength, or truth of someone or something faith: Confidence or

784 views • 33 slides
Trust rust What is Trust? A Definition Trust is a phenomenon of reliance on the good intentions

Trust rust What is Trust? A Definition Trust is a phenomenon of reliance on the good intentions

Trust rust What is Trust? A Definition Trust is a phenomenon of reliance on the good intentions and/or adequate competences of others in situations characterized by dependence, vulnerability and risk.* *Luhmann (1968), Baier (1986, 1992),

573 views • 7 slides
Dynamics, robustness and fragility Private trust Public trust of trust Conclusions Dusko

Dynamics, robustness and fragility Private trust Public trust of trust Conclusions Dusko

Dynamics of trust Dusko Pavlovic Introduction Dynamics, robustness and fragility Private trust Public trust of trust Conclusions Dusko Pavlovic Kestrel Institute and Oxford University FAST Malaga, October 2008 Dynamics of trust

596 views • 46 slides
Its all about trust(s) Its all about trust(s) Housekeeping We want you to have a great

Its all about trust(s) Its all about trust(s) Housekeeping We want you to have a great

Its all about trust(s) Its all about trust(s) Housekeeping We want you to have a great experience, so: If youre having any sound or viewing issues during the live webinar, please contact the GoToWebinar support team using the link

945 views • 68 slides
ENLIGHTENED NEGOTIATION Dr. Mehrad Nazari, MBA The Law of Trust Trust is the foundation of

ENLIGHTENED NEGOTIATION Dr. Mehrad Nazari, MBA The Law of Trust Trust is the foundation of

ENLIGHTENED NEGOTIATION Dr. Mehrad Nazari, MBA The Law of Trust Trust is the foundation of any relationship, collaboration, and negotiation Trust is the congruity of words and actions Trust is a moral credit rating; it is the

466 views • 15 slides
Islands Trust Council September 15, 2011 The Islands Trust Trust Council 26 elected

Islands Trust Council September 15, 2011 The Islands Trust Trust Council 26 elected

Islands Trust Council September 15, 2011 The Islands Trust Trust Council 26 elected representatives of island communities The Islands Trust Act To preserve and protect the unique amenities and environment of this area for:

354 views • 31 slides
Trust Speak Overview with dialogue all along the way: Definition of trust Three

Trust Speak Overview with dialogue all along the way: Definition of trust Three

Trust Speak Overview with dialogue all along the way: Definition of trust Three roads to trust: 1. Personal: one-on-one 2. Strategy: confidence in what we are doing 3. Process: how things are done Four principles

529 views • 4 slides
@richardfagerlin I DONT Jim TRUST Larry Gayle THEM 2 | T R U S T O L O G Y

@richardfagerlin I DONT Jim TRUST Larry Gayle THEM 2 | T R U S T O L O G Y

@richardfagerlin I DONT Jim TRUST Larry Gayle THEM 2 | T R U S T O L O G Y IMPACT HIGH TRUST LOW TRUST OF TRUST 3 | T R U S T O L O G Y People at high-trust companies report: LOW 74% less stress

402 views • 19 slides
Session 1 The New Codex Trust Fund Purpose of the Codex Trust Fund? The Codex Trust Fund supports

Session 1 The New Codex Trust Fund Purpose of the Codex Trust Fund? The Codex Trust Fund supports

Session 1 The New Codex Trust Fund Purpose of the Codex Trust Fund? The Codex Trust Fund supports countries to build strong, solid and sustainable national capacity to engage in Codex Scope and focus of support from the Codex Trust Fund Well

679 views • 37 slides
Castle Trust Innovative loans with no monthly payments required 1 Who are Castle Trust? Castle

Castle Trust Innovative loans with no monthly payments required 1 Who are Castle Trust? Castle

Scott Apps Business Development Manager Castle Trust Intermediary use only Castle Trust Innovative loans with no monthly payments required 1 Who are Castle Trust? Castle Trust was launched in October 2012 by an experienced team of senior

152 views • 11 slides
Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization creates opportunities and risks Page 2 April 2019 Digitalization creates Opportunities Connected Facilities/Plant/Site Billions of devices are

407 views • 12 slides
The Trust Anchor Key Renewal Method Applied to DNS Security Presentation by Thierry Moreau,

The Trust Anchor Key Renewal Method Applied to DNS Security Presentation by Thierry Moreau,

The Trust Anchor Key Renewal Method Applied to DNS Security Presentation by Thierry Moreau, CONNOTECH DNSSEC mission: DNS data origin authentication integrity assurance authenticated negative answers DNSSEC omissions, missing and wanted at

395 views • 8 slides
1 Figure 7.3 Figure 7.3 Messages with both Authenticity and Secrecy Messages with both

1 Figure 7.3 Figure 7.3 Messages with both Authenticity and Secrecy Messages with both

Today Today 1. Review/Summary of security technologies Crypto and certificates 2. Combination of techniques in SSL Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust The basis for secure HTTP, ssh

269 views • 7 slides
Frama-C WP Tutorial Virgile Prevosto , Nikolay Kosmatov and Julien Signoles June 11 th , 2013

Frama-C WP Tutorial Virgile Prevosto , Nikolay Kosmatov and Julien Signoles June 11 th , 2013

Frama-C WP Tutorial Virgile Prevosto , Nikolay Kosmatov and Julien Signoles June 11 th , 2013 Motivation Main objective: Rigorous, mathematical proof of semantic properties of a program functional properties safety: all memory

704 views • 47 slides
02291: System Integration Design By Contract and OCL Hubert Baumeister huba@dtu.dk DTU Compute

02291: System Integration Design By Contract and OCL Hubert Baumeister huba@dtu.dk DTU Compute

02291: System Integration Design By Contract and OCL Hubert Baumeister huba@dtu.dk DTU Compute Technical University of Denmark Spring 2019 What does this function do? Implementation public List<Integer> f(List<Integer> vector) {

533 views • 35 slides
Welcome! Todays Agenda: Dont Trust the Template The Prefix Sum Parallel

Welcome! Todays Agenda: Dont Trust the Template The Prefix Sum Parallel

/INFOMOV/ Optimization & Vectorization J. Bikker - Sep-Nov 2018 - Lecture 10: GPGPU (3) Welcome! Todays Agenda: Dont Trust the Template The Prefix Sum Parallel Sorting Stream Filtering Optimizing

781 views • 39 slides
Software Engineering I (02161) Week 11 Assoc. Prof. Hubert Baumeister DTU Compute Technical

Software Engineering I (02161) Week 11 Assoc. Prof. Hubert Baumeister DTU Compute Technical

Software Engineering I (02161) Week 11 Assoc. Prof. Hubert Baumeister DTU Compute Technical University of Denmark Spring 2015 Contents Design by Contract (DbC) Contracts Implementing DbC in Java Assertion vs Tests Invariants Inheritance

770 views • 55 slides
Families First Coronavirus Response Act and Covid-Related Accommodations Presented by: Patricia

Families First Coronavirus Response Act and Covid-Related Accommodations Presented by: Patricia

Families First Coronavirus Response Act and Covid-Related Accommodations Presented by: Patricia E. Reilly, Partner Chair, Labor and Employment Group Murtha Cullina, LLP preilly@murthalaw.com November 23, 2020 For the CCIC Annual Member Forum

661 views • 35 slides
Do spatially targeted initiatives improve health and well-being? Richard Crisp Centre for

Do spatially targeted initiatives improve health and well-being? Richard Crisp Centre for

Do spatially targeted initiatives improve health and well-being? Richard Crisp Centre for Regional Economic and Social Research Sheffield Hallam University SPHR@L, 29 th September 2016 Outline Relationship between poverty, place and heath

499 views • 22 slides

More recommend