Well, you're scratching at the surface of propaganda and its methods here, but its not the same story-- they added that it was now confirmed by...checks notes..."the authorities", whose/what authorities? authority of what exactly and so forth is sort of important here, but that's the new part of the story and supposedly why its being re-run, they added "authorities have confirmed" and its a new story.

I clipped most of what you said as redundant, but it works out to be basically the exact same thing as if they hadn't switched to rust or at least that's the case so far. Additionally, IE/Edge's code base is the newest, not Stylo (2019 when they again switched engines to one chromium based v. 2017)

I didn't overly comment on it because I left it as a task for myself to investigate more, but the UaF in question in framing, at least in theory, is something that Rust could realistically encounter. The way the objects work is basically two pointers, one to the data and one to the virtual function table. A temporary object can exist and it can be typecast to another type, which is essentially a second pair of pointers with a different pointer to a different virtual function table. Ideally, scoping rules should prevent a confusion on the part of the machine in terms of which object you're referring to-- you can't access the temporary object outside of its temporary scope, but this is actually something relatively common especially in amd64 architectures where the optimizer concludes you're done with a temporary and omits language specific code that would have made things safe (akin to the omission of an explicit NULL pointer check because analysis concludes the pointer has already been dereferenced), which results in a dangling pointer being held in a register that you end up using. There's nothing as far as I could tell in Rust that protects you from that because there aren't any borrow checking related rules that prevent it and its using the same backend for machine code generation as C/C++. This will likely become more applicable as they move towards supporting dynamic inheritance, but as I said, I mostly omitted my thoughts after review because its too soon to speak and I wanted to research it more.

And as it turns out, many types of typecasting operations where the only way to do so is to use unsafe, which is why even though I agreed with you it was probably in the C++ code that it at least in theory could have been in Rust. I'd have to go back through my notes, but a lot of people seem to be using std::any and something along the lines of as_ptr which is unsafe and the borrow checker won't protect you from mistakes under such circumstances-- things like this, a very common operation arguably necessary in many use cases/design patterns that forces people to rearchitect everything or use unsafe is likely why there's probably a decade or two's worth of these types of discussions. Put simply, for integration into real-world software, it seems in many ways Rust isn't ready and where it is it commonly requires the use of unsafe in order to meld it into an existing product. I suspect it will probably be 10-15 years or more before we see their javascript engine rewritten if they ever do it at all for precisely these sorts of reasons, and when they do, it will likely produce more bugs than their C/C++ counterparts.

This is true to varying extents, but I don't think you realize how common some patterns are and the extent of redesign that will be required. Just as a (bad) example but one I have off the top of my head, the entire journald journal format is written using flexible array's (this is a C structure that has a trailing array element of zero length, where the idea is you can get the offset to the beginning of the array but its contents will be dynamically filled in and its length calculated at run time). To interoperate with this in C++, which doesn't support this concept due to a stricter typing system, I had to wrap the code in question with pragma's that ignored warnings. To convert such a system to Rust would entail a dramatic redesign because its central to the way the piece of software operates and the language view of things is that every or nearly every write is actually to an out-of-bounds address. This is a bad example, but dynamic inheritance is really common and the related sort of typecasting that is used is kinda sorta supported in Rust and presently mostly relates to using unsafe code, moreover, there appears to be relatively nothing in terms of the language to make the sort of bug that cropped up safe, as I noted, in theory it should be possible even if under somewhat rare edge cases, but it will require more review to definitively discern.

You may be right, time will tell, but what I've seen so far is that interop with C++ is probably something mostly here to say at least for the next 10-20 years, maybe longer. Moreover, my guess is that when we get down to brass tacks that we will find that unsafe code ends up being so common that you end up with more memory bugs, not less.

You may be right, but I probably wouldn't get my hopes up. My guess is that in a few years or so we re-encounter each other on the forums under a story headline questioning the future of the language once Mozilla finally tanks and the community steps up to entirely OSS/FS it, which basically ends up killing off language extension and keeps people using unsafe constructs forever.

Yes, and while I'd say the bias in theory should be minimal your point is not entirely incorrect. So, I took a look at CVEs for the three projects and noted the following, for the preceding four years (the same length as now being compared with rust/c++):

- Chrome had the newest code base having forked from Webkit to Blink in 2013
- Firefox had the oldest code base, originally extending from Netscape in something like 1998
- Firefox had 9 memory related vulnerabilities in its CSS engine dating back to 2013
- Chrome and IE each had 4 memory related vulnerabilities dating back to 2013
- During the timeline of 2013-current, IE experienced a major revision in the form of Edge with no discernible impact on the security of the CSS engine

Thus, to some extent, we can say that the IE and Chrome codebases are relatively immature and fairly new themselves, yet fared better solely in terms of number of memory corruption vulnerabilities relative to Firefox. This is likely due to Firefox having a more or less inferior development process relative to the high-dollar development models at Google and Microsoft. In other words, in theory, assuming the vulnerability existed in C++ code wrapped by Rust, the Firefox code base was the oldest/most mature somewhat taking away the argument relating old C++ to new Rust.

Reviewing the timeline in its entirety per the view of CVE, IE and Firefox had listings dating back to 2002 whereas Chrome only extended back to 2010. Of those listings, I found:

- The numbers were basically the same with each having between 22 and 28 vulnerabilities listed in their CSS engine
- Firefox had the fewest overall from 2002 through 2013 however IE only had 2 more for the same duration
- Firefox should have been the most mature code base dating back to ~1998
- Chrome inarguably had the worst with 28 vulnerabilities since 2010; This is accounted for by the fact that they were using code written by Apple until 2013 and Apple's coding efforts were extremely subpar and relatable to Microsoft coding practices in the 1990s[1]. Of the 28 total vulnerabilities, 2011 had 15 of them alone however basically the instant Chrome switched to Blink these problems more or less vanished, with 4 total vulnerabilities in the CSS engine since
- IE averaged about 2 memory vulnerabilities per year basically all the way back to 2002 with the notable exception being 2006 where they had 7
- Over the entire timeline (2002-current), IE has probably had the most number of significant changes due to major rewrites and similar
- Microsoft, since the early to mid-2000s has also been the industry leader in SDLC efforts and puts a lot more effort/planning/testing/etc into development for important products like IE than basically anyone else anywhere

It's hard to say with any certainty because the bug in question is marked private in the Firefox bugzilla. I'd venture to guess you're correct, reviewing the details of what is publicly available it says the UaF comes about as a result of an invalid typecast producing the memory error. This likely means something akin to a temporary object being created which is destroyed and a pointer to it retained even though the original object is still valid and exists. I briefly spent some time looking at the possibility that such a thing could occur in Rust and my initial impression is that it maybe could but the odds were higher that it was in C++ code.

While Rust supports the type of typecasting necessary and indeed has the concept of temporary objects, it doesn't really allow the flipping back and forth between types by typecasting that C/C++ permits, its typically a one way operation and doesn't seem to have the same feature set in that its mostly static typecasting versus dynamic typecasting-- however the specifics of implementation are that an object is basically split into two pointers, one to the data and one to a virtual function table, so the possibility theoretically exists that something similar could occur in Rust-- however if it did, it would most likely be the byproduct of using something marked unsafe.

Still, however, it seems most likely that this is a C++ bug in a very mature CSS engine that is interfaced/wrapped by Rust. Most interesting, to me, is that my brief tour of whether this was possible in Rust seemed to suggest that in theory it could be, there was nothing specific about the borrow checker or similar that would seem to inhibit it but rather a lack of existing functionality (which is being actively requested), so this sort of thing very well may turn out to be a type of memory error that can be found in Rust, but that is highly speculative and forward looking.

That mouthful said, I don't find "but its still in the C++ not the Rust!" to be a compelling argument as there is some reason that the Rust was interfacing with the C++ which would imply some constraint or deficiency in the language causing it to be dependent upon the C++ (even if that is simply that other components haven't been rewritten yet); put more simply, maybe so but you can hardly tout the safety of a language and then excuse it from accountability when it has a dependency on another language which introduces the vulnerability.

[1] When the iPhone was first released there was a vulnerability stemming from the difference in byte counts in multibyte character sets that could result in an off-by-one when receiving text messages, which would in turn corrupt video memory and cause the screen to start rolling. This suggests a lack of very basic testing done in most professional settings because its a very trivial bug in a very high-risk code path, moreover, that the impact was that it appeared to overwrite video memory meant that the entire design of the product was deficient and akin to the Windows 9x days when protected mode was a to-be-implemented feature except the iPhone came out in the late 2000s (2007-2008) and not the mid-1990s. Additionally, in a past life I had a job where a significant part of my work product was analyzing public vulnerabilities to discern IPS coverage and noted that Apple frequently had vulnerabilities in OSS/FS they had co-opted which didn't have a related OSS/FS vulnerability for the main-line package. While trying to discern why, I discovered that Apple would take an existing software package and write a few hundred lines of C/C++ and continually managed to introduce vulnerabilities in trivial amounts of code. Basically, Apple was extremely late to arrive at modern C/C++ coding standards and their code bases typically reflected such. Their products and quality today have dramatically improved.

I'd also add that a lot of what they've done in moving things to the .net CLR was done almost transparently as a compiler option via C++/CLI, so for the most part to most of the developers the change was entirely transparent and required them doing little to nothing differently.

This doesn't include other things like pointer tagging, control flow integrity verifications, MPX extensions in Intel, shadow stacks, et cetera. Moreover, a lot of people fail to acknowledge how much better typical C/C++ code is versus 10-20 years ago-- I just did the metrics and looked at CVEs for commonly attacked components and found that MS Office across its entire product suite and across all versions (2003-current) has averaged about 1.5 memory corruption vulnerabilities per month, whereas the browsers are averaging about 5-- which is a dramatic improvement over 15 years ago where I recall getting hit with sometimes 5-6 different office 0days in a week.

Finally, while reviewing the same subject, I found that the CSS engine that Firefox rewrote in Rust in 2007 ended up having the same number of memory corruption vulnerabilities as Chrome's and 1 less than IE/Edge's, which is to say that they spent two years developing a component that ended up with basically the same number of memory errors as people who didn't-- its a short timeline, only 3.5-4 years, but still illustrative.

We will see, Rust should do better over a longer timeline than Java did because the JVM was a massive environment that was written in C, but sorta Java specific vulnerabilities like deserialization issues cropped up-- either way, Java ended up deprecated and considered a massive security vulnerability for the most part. While I expect Rust will fair better, I don't expect much different. The entire thing makes me think of a development firm that is failing to the competition and desperate to find some way to differentiate itself.

Source: https://jnf.livejournal.com/21...

Since the integration of the Rust CSS engine in Firefox in 2017, its had the same number of memory corruption security vulnerabilities as Chrome's CSS engine and 1 less than IE/Edge's engine over the same time period. It also managed to introduce a variety of lower severity logic errors presumably from being an immature code base. While the timeline is still short and so a definitive conclusion is hard to reach, at the moment it seems hard to justify the 2 year process going into producing that CSS engine when it resulted in literally the same amount of memory corruption vulnerabilities as a CSS engine that didn't.

I would expect that integration with the kernel will probably be easier as the environment is different, but I think there's probably at least a decades worth of memory corruption vulnerabilities to be found in Rust code and especially Rust code that integrates with C/C++ code, which doesn't include whatever defects turn up that are specific or nearly specific to Rust itself.

This holds especially true given the dramatic improvements in security in typical C/C++ over the past 10-20 years, and given suitable alternatives like Google's MiraclePtr which will likely be more effective at mitigating UaFs than Rust proves to be at least in the near term. Upon reflection, it feels like Rust is a language that is 20 years too late.

Put simply, thus far, in actual real world usage the reality hasn't lived up to the hype.

Source: https://jnf.livejournal.com/21...

is that they generally don't know wtf they're talking about; I only looked at the part on buffer/integer related overflows; where they take the moment to not only give me flat out wrong advice, but also see fit to try and propagandize me:

"This codelab doesn't cover overflow vulnerabilities because Jarlsberg is written in Python, and therefore not vulnerable to typical buffer and integer overflow problems. Python won't allow you to read or write outside the bounds of an array and integers can't overflow. While C and C++ programs are most commonly known to expose these vulnerabilities, other languages are not immune. For example, while Java was designed to prevent buffer overflows, it silently ignores integer overflow. "

The thing is google of all organizations, and specifically appspot should know better. I mean, I already told them. I mean seriously, look at this.

Of particular interest is: http://bugs.python.org/issue2620 ... reported: 2008-04-11 22:35:37 bug closed: ?????

Just stop with this incessant bullshit 'lol hey my program-by-number language of choice doesnt have memory corruption security issues@#@!#'. It's all assembly at the end, and the processor does whatever you tell it, so everything has this problem. I thought this would be clear from my work, Dowd's actionscript work, nemo's obj-c work, ilja's pascal work, brezinski & mcdonalds ruby work, et cetera.

In short, when you try to talk about things you don't know, especially in the realm of security; you do more harm than good.

Actually, no. The police do not have this authority, it's only ICE who does, who in turn delegate out the authority to local police. MCSO used to have this ability, until they abused it and got the authority stripped from them. So in essence, this is a F-U back at the feds. Furthermore, 'reasonable suspicion' and 'any legal encounter' doesn't necessarily mean really anything. Simply interacting with a cop is enough; no need to do anything illegal. Past that, the reasonable suspicion part comes in-- probable cause was already vague enough (who is to say the car did or did not smell like pot, or that your trunk was not low to the ground [mobile meth lab], etc). So this is an even lower bar than an already ridiculously lower one. Sure you're not supposed to base your suspicion entirely off of race; nevermind that MCSO will just ignore that part, but okay, you have an accent and are brown, thats reasonable enough! So in truth, actually yes, it does give the police new powers.

You seem to think a year is a long time in really almost any court case, much less one that encompasses an entire police department and last month was expanded to include the county attorneys office. Just wait, it's coming, the only downside is that he'll go to a federal pen and not one of his gulags. As for the why he had his authority removed, and I realize this is a stretch of brain power for the avg 96.4 PHX IQ, but maybe, just maybe its because what he was doing is illegal. You know illegal isn't a race right?

Except that AZ law essentially requires you to have an ID on you. (ARS 13-2412 and ARS 13-2403 can be used to require ID from anyone 'lawfully detained', which basically means anyone).

I encountered this several years ago while in Phoenix taking pictures from a parking garage without ID on me. Yes, it was a long night.

whats likely missing in the stories that obama et al are aware of is the context surrounding this. The states largest and most populist counties sheriff is under investigation for a myriad of things, including violating civil rights while investigating illegal immigrants. While this may not sound like a big issue, you also have to realize that he's ignoring other things like felony warrants to wage a war on illegal immigrants (read: mexicans). So what does this have to do with anything?

He used to be the ICE poster-boy, until the investigation/lawsuit/et cetera, where they stripped him of his authority to enforce the federal level law (only ICE is granted the authority). So an easy way to get around that 'problem' is to make it a state law which regrants him the authority to do this; bonus is that it is sufficiently vague enough that he can continue his racial profiling and just has to keep mum about whether it was the *only* factor involved.

There are a couple key points here that are missed without context that essentially everyone is missing it.
Maricopa Counties Sheriff has been on a 'arrest all the mexicans!' bender for some time; he's currently under investigation by DOJ for a variety of things, including civil rights violations, racial profiling, using department resources to wage war on political rivals/basically anyone who disagrees with him and this in turn caused ICE to strip him of his authority to arrest illegal immigrants (By federal law, only ICE has this authority).

So the response? Okay we'll make a state law and make it sufficiently vague that we are essentially legitimizing his practices (a prior quote of his was telling AZ citizens to arrest any mexican they saw driving with a cracked windshield [horrible advice, citizens arrests are just asking for lawsuits/charges]).
Some interesting reading:
http://www.cbsnews.com/stories/2010/01/08/politics/main6071928.shtml - Sherrif Joe Arpaio Facing Investigation

http://www.washingtonpost.com/wp-dyn/content/article/2008/07/16/AR2008071602636.html - Ariz. Sheriff Accused Of Racial Profiling

http://www.azcentral.com/arizonarepublic/news/articles/2009/03/15/20090315arpaio-politics0315.html - Feds' new tone puts Arpaio in hot seat

http://www.aclu.org/immigrants-rights/sheriff-arpaio-sued-over-racial-profiling-latinos-maricopa-county - Sheriff Arpaio Sued Over Racial Profiling Of Latinos In Maricopa County

http://www.phoenixnewtimes.com/arpaio - series of articles concerning the sheriff's activities .. like 15 years worth.

http://crooksandliars.com/logan-murphy/ice-strips-sheriff-joe-arpaio-immigra - ICE Strips Sheriff Joe Arpaio Of Immigration Enforcement Powers

et cetera, just hit google.

Also, while you're correct that the feds have the ability to throw up checkpoints, its *supposed* to only be legal within 100 miles of an international border; although in practice they just do what they want anyways. (i.e. on a bus trip from Seattle to Phoenix the bus was stopped by ICE in far northern Utah, everyone white was allowed off without much of a question, everyone who appeared mexican was in turn given the 'royal treatment')

around the same time ICE stripped Maricopa counties sheriff of his authority to arrest illegal immigrants (only ICE has this authority under federal law) due to his questionable human/civil rights practices. So everyone who keeps pointing out that it was already existing federal law is neglecting that he was essentially deputized by ICE to make immigration arrests and that this law was not necessary *until* he started violating other laws and ICE said 'okay no more' when DOJ et al started investigating him, MCSO and the county attorney's office (indictments are expected for all of the above) for ... (wait for it) violating civil rights while enforcing immigration standards (well the investigation is more encompassing than that-- it also includes things like using police resources to essentially wage war on anyone who disagreed with him/political rivals). Only *then* did the law become necessary, because he couldn't continue doing what the federal government already said was illegal for him to do. Plus the way the law is written, it legitimizes his practices of racial profiling and such. Yes I am aware the law says it cannot be the *only* factor. However anyone that makes this point has never dealt with MCSO or the overall corrupt government in that state.