how can memory safe code STOP HACKERS?

You can still do this in Rust, but you need to be explicit about it. This gives the flexibility that is sometimes needed, but also clearly indicates to a maintainer where things could have gone wrong.

Umm, could you write a piece of code depicting it please? I want to see how it works.

I think people are struggling to maintain it because it is "tricky" to begin with - your using the very thing people tell you not to use in often a very platform-specific implementation that can be syntactically terrible to read in order to squeeze in a bit of efficiency - I think it's good that this practice fall by the way side for more semantic approaches to this sort of efficiency gain (like identifying this funky memory magic with keywords that explicate it's unsafety).

@@pravargupta6285 This wasn't written in C and I'm not going to write the language as it'd dox me pretty heavily, but I can explain a simpleish example.
I was fixing a Y2K-like bug in a system where the standard OS date-setting executable wouldn't set the date after 2027 (the system call accepted a 7-bit unsigned int, 1900 epoch+127 years) but the OS was otherwise happy with dates beyond this (internally, a 16-bit signed int was used with the absolute year). We didn't have the executable source to correct.
The way the OS worked was that all of the OS structures could be navigated to from a pointer in the absolute memory value 0xA.
So I wrote a program that ran with kernal-level privileges which, when passed an appropriate date-setting instruction, looked in 0xA, took that pointer to the OS structure (that we called the system block) which further had pointers to other parts of the OS, including the date-time block. So I navigate to the D-T block, get a pointer to the memory location, in absolute memory space, with the year.
I have an array declared. I get the absolute pointer for index [0] of this array. I then subtract that pointer from the pointer I have in the D-T block, to get an int that is the difference, in words in absolute memory, between my array and the D-T block.
So I use that as an array index to write the year to the OS, bypassing the intended mechanism.

@@beckaddison5827 People will, but it's still something that is out there in the wild. I don't disagree at all with what you've said, it's sometimes necessary but far from desirable.
But I see it as a skill along the lines of, say, coding in assembly where it's rarely useful or desirable but it was occasionally necessary and having the skills to understand and maintain it is sometimes necessary.
A greenfield project should never be written that way, but a not-insignificant part of SW engineering heritage that we still rely on is built that way.

While it is true that C is very efficient and easy to learn, no amount of tools has prevented codebases like Chromium to erradicate 70% of its bugs, which are related to memory safety. The same is true in Android, especially on the security side of things: in Android 13, the 1.5 million lines of Rust code that they wrote has had *net zero* memory-related CVEs so far, compared to an average of 1 CVE / 1k SLOC in their C++ code. Valgrind, address sanitizers, they can only get you so far with a language that was inherently not designed to be memory-safe in the first place.
Besides, lots of companies are already using Rust instead of C and C++ for their codebase. C++ in particular is already being replaced here and there. They definitely are entrenched languages in the IT world, but it's becoming more and more viable to do the risky bet of taking the time to rewrite some C++ codebase in Rust, rather than continue to maintain a C++ code. And even when such a risk is not viable, people are integrating Rust in C++ codebases so that all new code is made in it (that's what Android is doing).

@@Speykious Here and there C and C++ can be replaced but not in every cases. For example in game development C++ is still much better choice, for embedded systems C and Assembly are the king. Rust is rust, it's a bit different, for safety-critical tasks it might be better choice, but that's not everything...
C and C++ is much more mature language, Rust is still new compared to them and it has much slower compile time and stricter compiler.

@@matyasmarkkovacs8336 Rust definitely has potential in game development, with projects such as Bevy, Fyrox Engine and Macroquad/Miniquad. You're right, C and C++ are "more mature languages", or more precisely they have a way more mature ecosystem that is old and battle-tested, with standards such as Unreal Engine. But that doesn't mean that Rust cannot "replace" C and C++ in these areas: by that I mean, I'm sure that in a few years, Rust is going to be a much more viable choice for game development than today where it is still in its experiment phase.
And of course I assume the same is true for embedded development, but I know way less about this field since I'm not really interested in it (yet?).
About your last small thing: yeah, Rust has slow compile times, but it also has incremental compilation so generally it's only a problem when you build your huge project for the first time and when you do a release.
As for the stricter compiler... That's kind of the whole advantage of Rust in the first place! That's what has prevented Android from having any kind of memory-related CVE in their huge Rust code. That's also part of why I personally love it. xD

I think that's my point. Unfortunately, tons of incompetent C programmers contribute to projects that run the world. The future of languages shouldn't allow the programmer to make memory mistakes.
Also despite ASLR, RELRO, PIE binaries, stack canaries, memory corruption exploits are still super common. Maybe C is to blame.

@@LowLevel-TV Rust has had its own memory exploit CVEs happen and most of the exploits that do happen in that field are actually in C++. fact is high performance high complexity applications are always going to remain in the realm of unsafe and anything outside of that probably shouldn't be written in C/C++ in the first place.

@@zaper2904
It makes no sense to stall against security measures in languages like Rust, it goes without saying that there will be CVE's in literally any language that is using insecure code, and that obviously includes Rust, but that doesn't take away from the fact that real-world applications of the language, including in Android itself, resulted in memory bugs happening than more, and that in itself is a positive thing.

I think your comment is proving his point - the fact that all these vulnerabilities might not be exploitable on modern systems speaks to the fact that these mistakes have been made enough times before, by C programmers apparently competent enough to have their software released on modern systems and that software be popular enough to later be exploited. All this additional overhead, ASLR, stack canaries and the like are required to check behind a binary because of the long history of issues caused by C's (and other unsafe programming languages) inherent trust in the programmers ability to program perfectly. What happens if these basic examples were used in a small embedded platform with a stripped back, custom OS that is designed for that specific hardware? How can we be sure it isn't packed in with all the amenities of modern systems to prevent these basic vulnerabilities from being exploited? We can't, and as a result, IoT devices like those I've described have become some of the easiest targets for exploitation. Rust shifts the responsibility of memory safety off of the system and off of the programmer (except for explicitly unsafe code) and places it on the compiler. That way, we can have incompetent Rust programmers and incompetent OS developers be prevented from exposing simple exploits by using a competent compiler.

​@@diadetediotedio6918 Yeah there have indeed been less memory vulnerabilities in Android after they've switched to safe languages 80% of which were Java and Kotlin lmao.
As to why not switch? oh idk maybe Rust not having even remotely the same support as either C/C++ only being able to target a limited number of architectures not having a stable ABI and having a tiny developer population (despite what the internet will tell you) .
Rust is a new fad language its tbd if it actually grows up into a usable language like Java or C++ or dies a painful death like Pascal or Ada for now you're better off using industry standard languages and investing in security tools.

Exactly!
That's one of the main reasons why I prefer C/C++.
Their syntax is much readable and easier.

@@matyasmarkkovacs8336 Rust's syntax is like a fusion of Python, JavaScript and Lua with elements that look like C++.
Also introduces concepts that don't exist in other languages. That's very uncomfortable.

I'm sure you only say that out of familiarity with C. When I first learned C in 1982 it's syntax look very esoteric to me. I had been used to BASIC, ALGOL. PL/M and assembler. To my mind Rust looks superficially quite a lot like C, just cleaner and nicer.

@@matyasmarkkovacs8336 Funny, I feel totally the opposite. I'm happy with C but C++ is hideous and often very hard to read.

​@@theabyss5647like the borrow checker or zero cost abstractions? Those features of Rust (unique to Rust I think??) are freaking amazing!

Should be fixed, thank you for that.

Sure but if the source code is from a safe language, then the binary's implementation of the pointers will also be safe.

@@LowLevel-TV But the binary is not safe. It's machine code. It can never be 'safe'. For example, In order to prevent over indexing to an array off a pointer the machine code has to check the index every time. Hackers would have to go out of there wait to include that check.

@@lucidmoses Static analisis can do a ton

Hackers don't modify the binary directly most of the time, except maybe people who crack local software.
Try to imagine a hacker talking to some C program on a remote server, not having the permission to do anything else: they don't even have access to the binary. Then exploits like buffer overflows can be fatal to the software, since hackers just need to feed the program some malicious input and they'll be able to get their way into your system by making it execute a function _you_ wrote.
So yes, it does matter a lot to have memory safety in regards to security. It's not about making the binary itself safe no matter the modifications you might do to it, it's about making your program secure _at runtime_ so that hackers can't exploit it with malicious input. And it turns out that a lot of these security problems are related to memory safety problems.

@@lucidmoses Rust does runtime array bound checks.

Thank you :)

But, go is better than rust.

I program assembly on retro game consoles as a hobby and I'd argue it's even easier since you usually know in advance how much ram you have from the beginning. A few techniques I've come up with are:
* A "dummy" function that immediately returns. This is useful for padding jump tables or loading as an interrupt vector when none is needed, in the event of a spurious interrupt
* Using a bitwise AND to constrain an array index to always be in bounds before performing the lookup.
* Don't allow bad input to begin with, rather than trying to fix it later.
* If you suspect the user may misunderstand what to do, either rephrase it or make what actually happens the same regardless. For example if I ask a user for a file name, rather than just saying "Don't include the file extension" I'll secretly strip it off then append it back. That way, regardless of whether the user enters "MyFile" or "MyFile.txt" the program turns it into "MyFile.txt" before going any further. The user doesn't need to be "correct" about how to do it!

If you don't mind, could you explain how DOP and data validation solve the issue of memory safety and bugs?

Yeah...
At least Ada has a very nice and easy to read syntax, while Rust's right the opposite.

@@matyasmarkkovacs8336 Have you ever tried to write a non-trivial program in Ada? It's *exhausting*! At least when writing Rust I don't have to look into the *****FUCKING LANGUAGE SPEC***** because I chose one of three redundant but slightly different ways to pretend to have inheritance instead of another.

@@АнтонГусев-н5ю I have seen some complex source codes in Ada, and it's still much more readable than Rust in my opinion. Ada uses keywords wherever it can, instead of symbols.

​@@matyasmarkkovacs8336 what do you mean symbols? The only Rust specific symbol I can think of is ', but its impact is minimal.

Wow, spoken like a true entitled and infallible being...

Your "thing inside a helmet" is infallible...?

How safe Javascript is has nothing to do with Javascript. It depends entirely on your browser. Unless you wrote your own there is NOTHING you can do about that.

True that

It's what gives Missingno its iconic look. Although it was obviously unintentional, the game took some section of ROM and ran it through the sprite decompression algorithm. It's like if you could typecast a word document as a JPEG and get a bunch of noise as an image.

same honestly.

Laughs in memcpy

Malicious in what sense? That they're purposefully leaving a backdoor so that they can come back later under a different alias and release their malware for it?

@@erikkonstas that would be one way. Purposely leaving a means of hacking the program.

It has a garbage collector, I don't see why not

nah we dont like checks they make us go sssslowwww

@@SomeRandomPiggo Garbage collector prevents memory leaks, not memory corruption bugs

Go is a memory safe language, yes.

@@tf9350 Isn't that a fault of the hardware?

hahahah all noobs program in C with 0 knowledge about how machine code works and then complain boohooo i have memory leak boohooo i cant allocate memory

Literally, I thought this guy would be a bit less shilly about Rust... Oh boy I was wrong. 😆

Yes. Unsafe blocks are such a great feature. It gives an option for the developer to access memory however they want when needed. It creates something like a "danger zone", or "do not touch unless you are experienced enough to know what is happening here" zone. I think it makes it easier for junior developers to implement features in low level code.

C plus a decent linter and fixing such warnings results in memory safe. You don't really NEED a whole new language to do this. Just use better static analysis.

@@kayakMike1000 the language *is* the static analysis. features like lifetimes and specially dedicated unsafe blocks are pretty much absent in other languages as well.

@@kayakMike1000 Static analysis on C has a very limited insight depth and will always have a severely limited insight depth, you can make it work on toy programs comprehensively but it just explodes out of bound as the space that needs to be analysed gets larger. You'll always have leaky, overly permissive C analysis to some degree. You can't even prove aliasing on a C program. The one way you can fight this is a language that leans on the more restrictive side and puts analysis walls that don't need to be traversed, you only need to analyse both sides of the wall separately rather than across the wall. It was a decades long debate whether such a more restrictive language would be a complete menace to actually use, but now such a language exists, and it's fine, it's nice, it covers the usecases of C. It's worth celebrating.

Memory safe languages? You mean unicorns.
Memory safe languages don't exist. Yes rust has nice statistic analysis and runtime environment but even then you can still Fuck up and in kernel level there is no such thing as a runtime and direct hardware access makes any sense of "memory safety" meaningless.
Correct code is memory safe code, there are only languages that help you write correct code but no correct languages.

Good point!

Also you can get a middle of the road approach by using tooling like static analysis, valgrind and alike! Those catch a bunch of memory bugs.

You can do all that in Rust, as long as you put it in an unsafe block. The point is that when you write code like that, you have to thoroughly review and test it to make sure it won't crash or allow for exploits, so Rust keeps these code sections small, contained and clearly marked. But it doesn't prevent you from doing anything you need to do with the hardware.

Ins't unsafe rust just as free though ? I'm just a beginner with it but what I've like the most about rust so far is that any compromise you make is intentional and obvious. Get controll when you require it and deal with the responsibilities of that only when its required.

@@yondaime500 Yes, the same way it is possible to write safe code in C, it is possible to write unsafe code in Rust. But, for example, in Rust to write to an arbitrary address or to reinterpret an array as another type you need to do all these things and almost trick the compiler, while in C you probably won't even get a warning, the compiler assumes you know what you're doing. C has lots of undefined behavior for the same reason, it allows the compiler to optimize much further. What's different between the languages is their focus, Rust focuses on security, C focuses on control. Both of them are extremely useful and will keep being used.

I think that's too much of a fact to be considered a hot take lol

to be fair, C89 and C99 are a lot simpler than some of the more recent versions. Just do be sure your macros are doing what you think they're doing.

Dude when I first discovered volatile in C++ it had taken me 15 hours of debugging to figure out that the compiler had completely optimized away my code 😭

C does make for some fun programming experiences.

That's why I love assembly, you can do a lot of sleazy stuff that would make computer science teachers faint at the idea! Like memcpy() entire functions. Good luck doing that in C.

@@williamdrum9899 i am sure there ways to do it in c like just use inline assembly (x86 :( )

@@williamdrum9899 I did once write a function into a file, read it into a buffer, set the memory to be executable and ran the function in C

IDK who it was, but I watched a while 40 minute video on a security flaw in a core Linux kernel dependable that existed because strings in C are null-terminated arrays, yet the programmer somehow allowed the user to set that null terminating byte. I forget exactly how it went, but by setting that byte to be something else, the terminal would--with a bit of fiddling--run the next command as sudo. It was very well explained, too bad I can't remember the video name.

That's because its bs and fantasy thinking.
To write both code to execute and the adress of that code precisely at the return adress of the stack using an overwrite at an unknown area of memory is near impossible.
It's pure luck when *if* it happens.

Rust is a great language!

@@LowLevel-TV Sadly the devs are chomos

@@bravefastrabbit770 wtf you mean ?

Same

Rust is great and so is C. The learning curve with Rust can be difficult but rewarding

Having null pointers isn't really memory safety, that's just a feature of Go

You probably had a null object and tried to use it. That's something that happens on most languages (Java, Javascript, C#, Python, etc).
One thing that could be mentioned on another video is memory leaks, which is still possible on garbage collected languages, albeit it's rare (involves specific instances of circular references as far as I know).

Fair!

How is that simple compared to Rust where I only need to run the compiler?

@@valcron-1000 you don't need to rewrite your existing code in Rust
and well, a lot of software is maintained for multiple decades if not even longer

@@valcron-1000 The rust compiler is doing more or less the same, but it's already set up. How to make that just as simple: Just like rust, configure the build system to run all the tools you need. I have a "template" Makefile that I use on most project, just adding the static analysis tooling there gets.

@@valcron-1000 Friend. In actual company there is always paid devops or geek who will make 1 command or 1 button function to do all possible checks.

1) You're literally trying to predict the future.
2) Wow, imagine every little change in code triggering a whole certification process, like time and money is inconsumable...

@@SimonWoodburyForget are you comparing the speed of a GC with smart pointers? Smart pointers are still much more efficient than what a typical GC does. And also in C++ standard library, the only smart pointer that has some cost is the shared_ptr. The unique_ptr and weak_ptr are zero cost which means they're as fast as raw pointers. And there are also atomic implementations of shared ptr like pointers that perform faster than standard library's shared_ptr. So not many problems in that regard.

@@SimonWoodburyForget so doesn't rust call any destructors when trying to end the life of an object?

What parts exactly do you find horrible ? The language makes total sense to me

Still a better option than working on a C codebase that abuses macros like hell. That said, there are always simpler options like Zig and Odin.

Both C and Rust give you the same level of freedom, what do you mean?

@@Cookiekeks rust is sometimes a bit too restrictive with its safety measures (at least for me), while c is so permissive that even with pedantic warnings i still sometimes end up with programs that behave strangely

@@luna197-old What is still restrictive when using unsafe?

@Peter I do not know anything about this, what is MISRA and AUTOSAR? Also, why does Rust not have a formal specificatio

*cries in assembly*

because the people that write in C are not supposed to be potatoes with 0 knowledge in computer science if you want "easy" life go with python

@@allocator7520 Python is even worse, the error messages don't give info other than it being a traceback

@@maybeanonymous6846 c:

Rust doesn't stop you from making mistakes, it just lets you know immediatly.

I'd rather my mistakes happen at compile time than at 4am when things start breaking in production.

Wouldn't you prefer to get educated on why what you did was wrong, rather than going about your life blissfully unaware that there's something wrong?

You would need a new syntaxes and semantics to fix a lot of c/c++ issues. The compiler does not have enough information leading to false positives or lots of missed positives. That being said turn on all the warnings you can and run with sanitizers. They are helpful just not as helpful as Rusts tooling.
The issue with C++ is that smart pointers are good but limited. They only provide ownership with allocation. If you are not allocating then they don't work to convey ownership. This is an issue for embedded or performance critical areas that don't want or can't deal with allocation.
There are other limiting factors as unique pointer has some overhead vs a raw pointer. Shared pointer is always atomic even when you are not in a threaded scenario.
Some times you just want to pass a pointer around and still convey ownership with no overhead. This is what Rust can give you that C/C++ cannot.
Some side note issue with c++ smart pointers are nullability. When receiving a smart pointer they can be empty thus a null check is needed for every(safe) use. This makes api's a bit more unlear.
A better solution is to use optional with your smart pointer but in c++ this takes up extra room and does not even remove the extra null check.
In rust sizeof(&T)==sizeof(optinal) ==sizeof(box) == sizeof(optinal). This allows for no overhead when passing a pointer that can be missing. It also makes it clear when you have to check the pointer for nullability leading to less redundant checks.
Hopefully that makes sense

@@dynfoxx Ah okay thank you for the nice and organized response. I'm still technically new to programming since I started 2 years ago (1 year to experiment learn basics phrases such as IDE and use multiple languages, and another year to understand concepts more such as OOP, learn Linux, and slowly reaching a level of intermediate although I'm still a beginner in various ways).
I do not fully understand concepts such as threading, multi-threading, cocurrency, and atomic but I'll look more into them with key things you wrote about Rust.
Forgive me but I have a hard time reading Rust syntax so I do not fully understand the code you wrote I just interpreted it as Rust doing the redundant checks for you. With that being said I'll keep what you wrote in-mind and if I ever need to work on things that requires tools that C++ doesn't excel at then I'll think about using Rust for the job.

@@doomknight233 Yeah not a problem if you have questions just ask. It takes most people a while to fully understand concepts so take your time.
Threading is difficult to wrap your head around at first. People have a lot of different ways to explain so let me know if this makes sense.
Think of threads as different people in a podcast or radio show. Each one can do different things but in the end it comes out to one audio stream. When you talk over each other it's unclear what it will sound like. How do you solve this?
One way is to only let one person talk at a time, that Is a mutex. Noone can be talking and everyone can just listen, in that case there is no issue. You could have individual microphones for each person, this would be attomics, thread local or something like that.
Hopefully that makes sense to why there is a problem. Atomic are a bit hard to explain but think of it as a mutex for small data.
Think if box as a unique pointer but otherwise it's basically just the same as c++ for sizeof. & is a pointer to some generic T.

No, it isn't. ;-)

On an embedded system you have to be able to randomly access hardware registers. That's far easier than you think, but you just have to LEARN that skill. You can not expect library developers to take care of everything for you that requires actual LEARNING. And even if you could, you shouldn't because eventually you will be a better coder than those library developers. Most libraries for embedded systems are written by disinterested semiconductor company employees. They are underperforming and buggy. Not to mention that most embedded hardware is buggy and you have to find workarounds for YOUR application.