Thursday, November 27, 2014

Secure Systems

Linux is not secure. C and C++ are not secure. Python is insecure. Your C compiler and entire OS is insecure, with backdoors that go back multiple decades. [shellshock] [the ken thompson attack]

Linus's Law states that "given enough eyeballs, all bugs are shallow". In response to Heartbleed, Eric Raymond gets defensive and says "there weren't any eyeballs". The fact is that there were eyeballs on that code, and it slipped past the eyeballs and C compiler.

In order to run secure programs, we need a system stack that can be quickly read by a single person - from the kernel and hardware drivers, all the way up to the application level. This can not be done with conventional operating systems, libc and the unix stack.

Bare Metal Rust

"even unsafe Rust is safer than C" - 27:15 - Striegel

The video above by Ben Striegel is a great introduction to Rust, and why it is here to replace C/C++. An application written in Rust and running directly on bare metal without an operating system, is the most secure way to run your application.

RustOS by Ryan Rasti, and Tifflin by John Hodge, are just two examples of Rust based operating systems. These are super light systems, and it is possible for one person to read all their source code, including the unsafe parts written in C and assembly, and ensure they are secure.

Introducing Rusthon

Rust is a systems programming language, and too low level for quick prototyping, or simple web backends. It is nice to have all of the low level control so you can fine tune performance later, but it should be optional. Rusthon is a high level Python-like language that compiles to Rust. Rusthon started as a fork of Gython, which is a fork of PythonJS.

The goal of Rusthon is simple and clean syntax inspired by Python. Rusthon will allow you to code at a higher level than normal Rust code, and interoperate well with hand written Rust and the Rust libraries. You can start off writting your application in Rusthon, and drop down to hand written Rust where you need more performance.

Above left: the standard build process is complex and insecure, where source code is scattered among many files along with build script that may need to be run in some order. Above right: the rusthon markdown build process, one or more markdown files contains multiple programs to be compiled, with a single command these are compiled and packaged into a tarfile.


  1. Whether it be an OS or a bare-metal run-time library, a developer still depends on the code of someone else to develop his app. Not all coders are going to verify their libraries/stack to ensure it's perfect. It just takes too much time. Moreover, I'm sure the number of coders that are competent to review bare metal libraries is a small one. Infrastructure is infrastructure, either OS or a bare-metal run-time library, they're both going to be susceptible to malicious modification.

    "There is a lesson here for ambitious system architects: the most dangerous enemy of a better solution is an existing codebase that is just good enough." --esr on Plan 9

  2. may be it will be interesting for some to take note of another language called haxe (see ), which is a C#/Java like language. It has a good active and vibrant community ( see!forum/haxelang ) .

    Haxe language COMPILES TO "PYTHON, C#, Java, C++, PHP, Javascript, Actionscript, Neko, Flash".
    Single source code written in haxe can already target these many languages. It is very easy to add new language targets. haxe to C, haxe to ruby , haxe to lua , haxe to swift -convertors are already on the way.
    There was an attempt to make a new target "haxe to rust" convertor (see ), but later it was abondoned(deleted). But still it is nice to target so many languages from a single haxe source code base.

  3. the above comment of mine was about benefits of "rusthon" vs a plausible target "haxe to rust"

  4. Hi harts, its awesome being able to transcompile pythonic syntax to another language. Why dont you target the haxe language like tardisgo does ? It'll save much your time to debug. And then help the haxe to targetting Go and Rust. :)

    1. There will not be a Haxe backend for Rusthon, here is why:

    2. Is there a plan to make a Java and Objective-C backend in the future ? (For developing Android and iOS App)

    3. There is a plan for a Java front end, so you could import something like libGDX into Rusthon, and then recompile to C++.