> For system-level folks, Rust is one of the most exciting security developments of the past few decades. It elegantly solves problems which smart people were saying could not be solved. Fuchsia has a lot of code, and we made sure that much of it (millions of LoC) was in Rust.
> Our kernel, Zircon, is not in Rust. Not yet anyway. But it is in a nice, lean subset of C++ which I consider a vast improvement over C.
A few thoughts on this.
1. Why is it that Chrome hasn't had more Rust adoption? It's so obvious - Chrome constantly has to make the tradeoff of security vs performance with regards to things like parsing in sandboxed code. There's so much potential - Firefox started with the obvious place, encoding and decoding, which are too dangerous for C/C++ but too performance sensitive for OOP.
Feels like it's gotta be organizational, and somehow Fuschia has managed to break off from the part of Google that's still clutching to C++.
2. I'd be interested in hearing more about the design of Fuschia. Rust in userland is cool, or kernel modules too, but a memory unsafe kernel is an unfortunate thing. Even just the teaser of "not yet at least" is changing my view on the OS (I find the idea of another memory unsafe kernel/userland more depressing than exciting, even if there are neat things like capabilities).
3. Also curious to hear about their experience with a strict subset of C++. Again, looking at Chrome, we now see common ITW exploits - and Chrome is perhaps the single most fuzzed piece of software in the world, and leverages many modern C++ techniques (or the Google equivalent of them).
As for the rest, verified execution seems interesting - is this like what iOS does, where it's basically impossible to RWX (except with an escape hatch for JITs, but behind a permission boundary)?
TBH if Google pivots Fuschia to do something interesting like bottom-up memory safety with novel isolation mechanisms, I'll bite. Until then, I'll wallow in this awful pit we continue to dig ourselves into.
The web platform code in Chromium uses a C++ garbage collector [1] which gets a lot of benefits of a memory safe language and integrates well with V8/JS. That fixed the vast majority of issues without having to rewrite any of the code in another language.
Oh, I totally disagree with you. I'm well aware of how Chromium's C++ code works, and I'm aware of oilpan, I don't think it's fair at all to say it solves memory safety issues.
> It requires a human to actually look at the contents of the unsafe block.
Yes, that's an incredible capability - that a human can actually look to find bugs, that's insane, that's huge.
> Most of the time those humans are even rarer than those that validate unit tests are properly written.
Maybe, maybe. Is it rarer than fuzzing with sanitizers though? Or rarer than serious sandboxing efforts? When unsafe has been used gratuitously in Rust libraries the community has pushed back, to a fault.
I don't know what it is you want to try to argue here though. My questions were really targeted to someone at Google who can speak more directly to what I've been seeing for years.
I am trying to argue that just by using a safer systems programming language, the security exploits don't go away.
Someone needs to take care that the remaining 30% are taken care of.
While the unsafe blocks are still responsible for the remaining 70% if no one bothers to actually validate them.
Actix Web is a very good example, how the community still has to learn how to deal with such issues, and how effective the security would have been, if its security wasn't validated by fellow humans.
Yes it is definitly better than C, C++ or Objective-C, just not zero effort to keep it safe.
If your >95% of your codebase doesn't feature unsafe, your rare human with the review skills only has to look at the remaining 5%, maybe 10% in order to understand what the 5% are doing.
Fuchsia's kernel (Zircon) is based on LK [0] [1] ("Little Kernel"), it's not a from scratch thing. Would be interesting to know when LK started, the first commit[2] in the git repo is a big code drop so doesn't tell the story.
Very simple, the Chrome and ChromeOS code bases mostly predate Rust becoming a thing. It's a complex code base. Replacing any of it is a big task. It took Mozilla many years to develop Rust and use it in their own browser, which is likely to be ongoing work for many years to come. Additionally, developers familiar with the Chrome/ChromeOS code base are probably very hard core C++ developers. Switching to Rust is not going to happen just like that. They'd have to want it and agree on doing it. And then they'd have to learn it and get productive with it.
Fuchsia development has been ongoing for quite long as well but most of the code base is from more recent times. When they first announced Fuchsia, they did not talk about Rust at all. But obviously they managed to attract some Rust developers since then and perhaps made a conscious choice to not use C++ for new development and try to contain what they had already as much as they could where it was already there.
It's one of those high level technology choices that kind of became an obvious one a few years ago. If your goal is to develop fast and secure software, Rust seems the preferable language. Google has the track record to prove that C & C++ are inherently risky since despite decades of trying to prevent issues, they regularly have to deal with them still. Including in new code. I imagine somebody at a high level just drew a line in the sand and put a stop to most new C++ development on Fuchsia. Do it right the first time. Or something like that.
> In conclusion. Too early, lack of experts, rapid evolution pains. It was stacking risk on top of an already risky project.
Rust was extremely immature and too early to be used in an OS at the time. It just hit 1.0. By then, Fuchsia already wrote its kernel Magenta (now Zircon) in C++.
In short, it did not make sense to write the OS kernel in Rust from both a technical and business standpoint at the time.
Dude it's a kernel. What other alternatives do you suggest? ATS and all sound nice for academic projects but it's an industry project (even if some research purpose is there) they have different tradeoffs.
I'm sure they don't need my recommendation, and the whole thing is moot today if Rust has fixed the issues in the years since.
But to play with counterfactual history: Apparently Go is fairly big there. There was a Usenix paper about a Go kernel a while back, and there's also gVisor. Then there is Ada, and Kotlin native, and various safe dialects of C. MS did one in .NET - there were lots of options.
There are papers with Python kernels. Doesn't mean Python's a good language for writing a kernel. gVisor had to fight Go quite a lot, I think it was a huge mistake for them to choose it.
Ada is the only language you've mentioned that really fits IMO. One of the safe languages like P would be interesting but it's unproven in the space.
As for Ada, it's a sad story, but ultimately the language is unlikely to gain traction after too many early mistakes (particularly around licensing).
So its from quite a prestigious institution, has at least one big authors, and concludes that it works quite well and recommends it over C for new kernels and VMMs.
I also disagree the "no traction" argument about Ada since it's been used in real projects and had a big enough developer community for a long time, and is alive and well. People can surely pick up new programming languages when they join a new project, I know I've done it many times. Tooling licensing should be fine as well since GNAT is available under GPL + Licensing exception, same as Google has been using with GCC since dawn of time, and under the Adacore license which Google probably can afford.
So, I hold that there were many other options vs Rust. Including the others in my original comment that we didn't get to in details. Except Kotlin Native, I made a timeline mistake there, it was too early in 2016.
I read a possibly dated view by a security researcher that slowly introducing Rust into a C/C++ codebase may actually make the codebase less secure — since the C part can be made aware/can mitigate memory errors while in pure Rust, there is no such thing due to lack of need - so a buffer overflow can potentially cause bigger problems this way.
If someone with more knowledge on C and Rust compilers and security, I would be interested in their opinion on this.
> slowly introducing Rust into a C/C++ codebase may actually make the codebase less secure
I think to some extent this used to be true, and to some extent still is.
Rust didn't always have MIRI support which points out if you try to do some unsound thing. Maybe 4 years ago you would have been the first person to use a specific niche static analyzer that builds on LLVM with Rust, so there would have been bugs inevitably. Same goes for wanting to analyze both the C and Rust that call each other. So static analyzer support has improved I think.
Also, C is better understood while in Rust it's less obvious how things need to look like. With better understood I don't mean by the developers who write the code, but from a language specification point of view. E.g. views have evolved on how accessible uninitialized memory should be in unsafe Rust, so MaybeUninit has been added. It's only two years old at this point.
Also there is the issue of safe interfaces between languages. In the days before cxx, if you had a "safe" cpp smart pointer, moving it to Rust and back would have involved possibly more unsafety than operating on that smart pointer yourself.
There has also been the long standing issue of unwinding at FFI boundaries.
If you have a codebase with 5 thousand lines of cpp and now replace 1 thousand lines with a Rust component of 500 lines, it might still be a better idea to just keep the old solution and give it a thorough review. It's different I think if you have a codebase with 5 million lines of cpp though and replace one component of 50k lines that has a clean interface but is an extreme source of vulnerabilities. It's a question of how dangerous "surface" is between the two languages.
Does all of this mean you shouldn't invest into Rust? Absolutely no. If it's a 5k lines codebase, you can rewrite it completely. If it's a 5 million lines codebase, I'm sure you'll find a security bug ridden component that is well isolated that you can replace.
I'm knowledgeable on C and Rust and security and it sounds like a red herring to me.
It's unclear what they're trying to say, but a charitable interpretation would be that C code assumes unsafety, therefor mitigations are in place. But it's actually the opposite situation - rustc is generally quite aggressive about turning mitigations on, and adopts them very quickly.
Re parsing: there's work being done on Wuffs which is meant for decoding data formats safely and efficiently. It's a new language, but it's one that compiles into C code.
It's a Google project, and I wouldn't be surprised if it eventually makes its way into Chrome.
Wuffs is not a Google project; it's a project whose code happens to be owned by Google. Most likely it's some engineer's side project and while I wouldn't be surprised if it was incorporated into a Google project, it's definitely not inevitable. It has probably the same odds as any other well-maintained open source project.
I fully acknowledge that the README says that it's not an official Google product. But rather than debating the exact "Google status" of the project, here's the tracking bug[1] for its integration into Skia (the low level graphics library in Chromium). Here's the tracking bug[2] for its integration into Flutter.
Chromium still uses C++14, not even C++17, due to binary comparability with PNaCl plugins. In 2022 the support for those will be retired, then more options will be possible.
Actually, Chrome were evaluating rust for there case. They were pretty much for it but they had to make it interface with the existing C++ codebase. Here is the relevant discussion:
Yeah they've been evaluating it for years, and then I read that document and it frankly felt like a poison pill. Reading that document it sounds very much like it's "how do we keep writing C++ while addressing the growing interest in rust".
No, the problem here is very real - rust doesn't have a reasonable c++ interop story, which means you have to rewrite potentially very large amounts of code at once and hope you don't regress anything. At the same time you have to continue normal development work, which is necessarily still C++, because again, you can't adopt rust in small sections.
Basically to rewrite one DOM feature in rust would have a high likelihood of requiring rewriting the entire DOM implementation in rust, which would also require rearchitecting. While doing that other people would be wanting to continue working, but they don't have a rust build to work on so they have to continue in c++, thus sadness and conflicts. The other solution is to implement features in rust, and use a c++ wrapper to interface with that rust implementation, but now you've lost the memory safety advantages of rust (most of which are lifetime related, not bounds checking), and the C++ interface itself could be exciting as it could end up having to marshal other types.
> No, the problem here is very real - rust doesn't have a reasonable c++ interop story, which means you have to rewrite potentially very large amounts of code at once and hope you don't regress anything. At the same time you have to continue normal development work, which is necessarily still C++, because again, you can't adopt rust in small sections.
This was a somewhat more accurate summary a few years ago (though saying "you can't adopt rust in small sections" ignores the fact that Firefox among others did just that), but the cxx crate has made huge strides lately, and it's much more feasible now to interoperate at a deep level between Rust and C++. (In fact, dealing with this interoperability constitutes a large part of my job nowadays, and thanks to cxx it performs swimmingly.) We're even starting to talk about advanced features like seamless C++ async/await support in cxx.
I would love your opinion on whether migrating to Rust is a good idea for us, since you're experienced in this realm.
My team has a Java project that's written in a modern OO style. We defined "modern" OO as encapsulation and polymorphism, without inheritance, and it fits our use case very well.
We don't want to give up the benefits we get from the OO architecture, for good reasons that I won't get into here (because I don't want this to de-rail into a OO bash-fest, as fun as they are!)
The conundrum: In my experience, Rust doesn't support polymorphism very well. When the borrow checker meets polymorphism, a lot of state is forced into parameters (state which is inherent; we already keep state to an absolute minimum), which opens it up to mutation from all sorts of places; not very encapsulated.
We can have a bunch of private member Rc<RefCell<T>>s instead of bringing in all state via parameters, but it's unidiomatic, and in the end we'd probably have something slower and less safe than our original Java program.
The question: Is there any way to make Rust a good fit for a use case like ours?
(The same problems would apply to C++ codebases, though it's a little more convincing for them, since C++ isn't as safe as Java)
Not the GP, but is your problem that you have a complex object-graph without clearly defined owners of objects (as is common in GC'd languages, especially OOP ones)?
There's a pretty clear tree of ownership, actually. Looking at any given component, it's fairly easy to know when a component is a "subcomponent" (owned) or whether it's a reference to some other component elsewhere (borrowed). Some of us are C++ veterans, so we tend to think in terms of single ownership no matter what language we're in.
There are a few references in our "main" (so to speak) where its ownership would be clearer if we stored them in local variables and then handed them to the only component that used it, but that's a cosmetic concern, really.
There are very few (if any) places where we actually make use of Java's shared ownership. The only place I can think of is where we cache some files, and farm out "shared" references to any file. Still, at that point, the cache could be considered the owner, with a slight adjustment.
Note that the philosophy of cxx isn't to support all of C++'s semantics (templates make this impossible in the limit as Rust has no SFINAE rule for example), but rather to support the important use cases that arise in practice.
It's also worth noting that, these days, bindgen has support for instantiating C++ templates, though it operates at a much lower level. Compared to cxx, bindgen is oriented more toward being comprehensive than being easy.
Have you gotten a chance to use cxx in a large “production” “legacy” c++ codebase? It’s great but there’s quite a few roadblocks that I encountered even trying something I would have considered that should be “easy”. I could easily imagine that Chromium would have an even tougher time. Some highlights:
* if you’re not careful, you’ll end up with linkage issues if you link in multiple crates. This means 1 uber create that has all your Rust dependencies. This can mess with parallelism in your build since Cargo isn’t coordinating with the broader system.
* speaking of build systems, chromium probably wouldn’t use create meaning extra build system integration, especially since they don’t use Bazel/Blaze.
* cxx still can’t pass across certain types (Arc and Option being the big ones) and is missing a general story for extending it with custom types.
* cxx can frequently cause you to have to reach to unsafe anyway because the lifetime semantics you want to express cannot be done in pure Rust because the other half lives in c++.
Don’t get me wrong. Rust is fantastic and a joy to use. Dismissing the challenges a project like Chromium has as “they just want to stick to c++” isn’t a fair look at the situation. Lots of smart people work on these projects and are keenly aware of Rust. Additionally managers and executives are keenly aware of the security benefits so there’s definitely downward pressure to try to adopt these (and large efforts spent investigating how to enable this whole maintaining developer velocity).
cxx doesn't necessarily help for cases like refactoring legacy C++ code. It seems to require more work than bindgen. I suspect switching to cxx in Firefox, to replace bindgen, would be quite involved.
Replacing small components like a single codec or parser wouldn't require anywhere near what Google is asking for in that document. I'm not saying to replace V8 with Rust.
> but now you've lost the memory safety advantages of rust
But replacing small isolated components is not a very interesting option. It means you're paying the costs of a multi-language codebase, in terms of build complexity, having to duplicate infrastructure, and siloing of developers.
In return you'll only be getting limited benefits from it, since the usage will only be restricted to few cases and a full migration can never happen. Every single decision on what language to use for a component in becomes a hard to reverse ("will this component always remain a leaf node with a really simple interface?"), slowing down decision making and ossifying the architecture.
> But replacing small isolated components is not a very interesting option.
I seriously disagree. Again, I mentioned things like JSON parsing which deal with untrusted data but also are too performance sensitive to move OOP. Chromium's own security guidelines explicitly states that you should never mix memory unsafe code with inprocess code with untrusted input.
I strongly believe you'd get significant returns by incrementally replacing components like that with Rust.
> Every single decision on what language to use for a component in becomes a hard to reverse
This is purely an organizational issue in my opinion. If the decision were made to follow the guidelines their security team has laid out, there is no question or slow-down. The guidelines are very competent and clear; memory unsafe, untrusted input, in-process - pick one at most.
JSON is just a straightforward example because it's easy to understand how it falls into Chromium's threat model. Feel free to replace it with font parsing, audio/video codecs, etc, and you'll find thousands of relevant vulns.
Being able to add new features without greatly expanding the attack surface is important for security. When new components of Firefox have been written in Rust, there have empirically been far fewer security problems to shake out than when they've been written in C++.
Is Rust of more limited benefit when it's only being used for certain components as opposed to the entire codebase? Sure. But is it still worth using for new code? Frequently, yes.
> Our kernel, Zircon, is not in Rust. Not yet anyway. But it is in a nice, lean subset of C++ which I consider a vast improvement over C.
A few thoughts on this.
1. Why is it that Chrome hasn't had more Rust adoption? It's so obvious - Chrome constantly has to make the tradeoff of security vs performance with regards to things like parsing in sandboxed code. There's so much potential - Firefox started with the obvious place, encoding and decoding, which are too dangerous for C/C++ but too performance sensitive for OOP.
Feels like it's gotta be organizational, and somehow Fuschia has managed to break off from the part of Google that's still clutching to C++.
2. I'd be interested in hearing more about the design of Fuschia. Rust in userland is cool, or kernel modules too, but a memory unsafe kernel is an unfortunate thing. Even just the teaser of "not yet at least" is changing my view on the OS (I find the idea of another memory unsafe kernel/userland more depressing than exciting, even if there are neat things like capabilities).
3. Also curious to hear about their experience with a strict subset of C++. Again, looking at Chrome, we now see common ITW exploits - and Chrome is perhaps the single most fuzzed piece of software in the world, and leverages many modern C++ techniques (or the Google equivalent of them).
As for the rest, verified execution seems interesting - is this like what iOS does, where it's basically impossible to RWX (except with an escape hatch for JITs, but behind a permission boundary)?
TBH if Google pivots Fuschia to do something interesting like bottom-up memory safety with novel isolation mechanisms, I'll bite. Until then, I'll wallow in this awful pit we continue to dig ourselves into.