Thursday, November 27, 2014

Secure Systems

Linux is not secure. C and C++ are not secure. Python is insecure. Your C compiler and entire OS is insecure, with backdoors that go back multiple decades. [shellshock] [the ken thompson attack]

Linus's Law states that "given enough eyeballs, all bugs are shallow". In response to Heartbleed, Eric Raymond gets defensive and says "there weren't any eyeballs". The fact is that there were eyeballs on that code, and it slipped past the eyeballs and C compiler.

In order to run secure programs, we need a system stack that can be quickly read by a single person - from the kernel and hardware drivers, all the way up to the application level. This can not be done with conventional operating systems, libc and the unix stack.

Bare Metal Rust

"even unsafe Rust is safer than C" - 27:15 - Striegel

The video above by Ben Striegel is a great introduction to Rust, and why it is here to replace C/C++. An application written in Rust and running directly on bare metal without an operating system, is the most secure way to run your application.

RustOS by Ryan Rasti, and Tifflin by John Hodge, are just two examples of Rust based operating systems. These are super light systems, and it is possible for one person to read all their source code, including the unsafe parts written in C and assembly, and ensure they are secure.

Introducing Rusthon

Rust is a systems programming language, and too low level for quick prototyping, or simple web backends. It is nice to have all of the low level control so you can fine tune performance later, but it should be optional. Rusthon is a high level Python-like language that compiles to Rust. Rusthon started as a fork of Gython, which is a fork of PythonJS.

The goal of Rusthon is simple and clean syntax inspired by Python. Rusthon will allow you to code at a higher level than normal Rust code, and interoperate well with hand written Rust and the Rust libraries. You can start off writting your application in Rusthon, and drop down to hand written Rust where you need more performance.

Above left: the standard build process is complex and insecure, where source code is scattered among many files along with build script that may need to be run in some order. Above right: the rusthon markdown build process, one or more markdown files contains multiple programs to be compiled, with a single command these are compiled and packaged into a tarfile.