Everything I Want to Do is Unsafe!
Dec 21, 2020 #programming #security #formal-verification #opinion #rustI’ve been learning some of the new hip “safe” programming languages lately, and I’m having recurring problems with them. Let’s discuss why.
Computers will do exactly what you tell them to do. Sometimes, it’s more than we bargained for. This fact has lead to many fun things that could have been avoided. After enough of these footguns developers got wise and worked on safer ways to do things. Formal verification (FV) and safer programming languages are the two successful forms of these techniques. FV is still a niche field that requires an understanding of grad school mathematics. Safer languages (e.g. Rust) are making inroads and beginning to fulfill the developer’s needs.
On the FV side, things are slowly getting better. Projects like seL4 are bearing fruit. And software like Coq and Isabelle make FV more accessible. I believe that ultimately FV will be the solution to software security, but it isn’t ready yet.
On the other side languages like Rust and WebAssembly are great but don’t
address an important issue: many useful and interesting computing tasks are
inherently unsafe. Software like debuggers, operating system kernels, and
garbage collectors, to perform efficiently, need to perform tasks these
languages would complain are “unsafe.” And – yes – there ultimately are ways
to escape these constraints with Rust’s unsafe
or
WASI, but it’s not ergonomic.
I’ve tried writing operating systems and emulators in Rust but found the language got in the way. A developer should not write an algorithm in spite of their language of choice; they should write algorithms that are enhanced by their language. Engineers use C++, JavaScript, PHP, et cetera more often than not because these tools are productive. They get out of the way of the developer. It’s possible that with Rust I’m just using it wrong™, but that is just my opinion and doesn’t matter.
I am not saying that languages like Rust are bad. In fact, they’re great and quite enjoyable to use. I’ve written a few Rust projects that were a joy to make. Rust is pretty darn great for writing one-off utilities, tools, and web applications; and I look forward to using it in the future. But frankly, these languages are not well-suited for “unsafe” tasks like debugging, garbage collection, or kernel development.
My recent interests are software that performs the “unsafe” things mentioned earlier. So what’s the point of using these languages if everything I want to do is unsafe? There are certainly ancillary benefits to writing the “safe” tasks in Rust, but let’s be real: I ain’t writing no garbage collector in Rust!