On Mon, Sep 22, 2014 at 3:45 PM, Manish Goregaokar <[email protected]> wrote:
> As Chris mentioned, it's not about using the type system to create safety. > We're assuming that exists > The sort of safety I'm describing does not exist in Rust whatsoever AFAIK. The very specific approach I'm referring to depends on dependent types, which Rust does not implement, and I would suggest you look to for future, post-1.0 food for thought: https://research.microsoft.com/en-us/um/people/nswamy/papers/gradual-typing-embedded-securely-in-javascript-draft.pdf the idea is to gate unchecked access to the data (which *is* required for > libraries created for generic use) with the `unsafe` keyword. > Many, including myself, have expressed the opinion that "unsafe" is ill-suited to this sort of safety-by-taint analysis and security contexts. In my OP, I suggested it was colluding concerns. This, again, goes back to Chris Morgan's Strange Loop talk. I may be misinterpreting what he was suggesting too, it'd be great to hear from him directly! I think there needs to be a different security context for these sorts of problems. > However, many seem to be of the opinion that `unsafe` is just for memory > safety, in which case it would be nice to have a wider range of `unsafe` > attributes (or something) which allow us to gate methods that are prone to > SQL injection (etc etc). > Yes, however the cases of SQLi, XSS, and LDAP injection all depend on using untrusted data in trusted contexts, which is a fundamentally different problem from what Rust is trying to solve with "unsafe", and the solutions the type system should pursue to solve these problems are different. All that said, even in the absence of a dependent type system, I think Rust can *being* to call these cases out in advance, if only for the benefit of human code review, but with the goal of the eventual inclusion of something in the type system to formally verify these sorts of guarantees. The specific use case is quite clear to me: inclusion of tainted data in secure strings. There are many systems today in which this would be an error. I can totally understand omitting these sorts of things until there is a formal correctness check in the complier. At the same time, these are the sorts of cases I feel need to be called out while they're fresh in people's minds. -- Tony Arcieri
_______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
