Threads for nickpsecurity

skeptical about Zig code generation eventually being able to surpass either

Maybe it doesn’t have to?

There is increasing evidence that optimising compilers hit diminishing returns quite a while ago. See Proebsting’s Law, which states that compiler advances double computing power every 18 years, compared to the 18 months for hardware advances. That might seem depressing, but it was actually wildly optimistic, the current rate seems to be a doubling for every 50 years, with the interval increasing. And at a cost of a much larger increase in compile times.

See also The Death of Optimising Compilers by Daniel Bernstein of cryptography and Qmail fame. Frances Allen got all the good ones.

The Oberon optimising compiler is 6 source files, LLVM is what, a million lines of code?

For my own Objective-S, I made three attempts with LLVM, and each time gave up, because the cost of using it was just too high. Last summer I broke down and decided to just do my own native compiler. Are there times when I am struggling with some aspect of code-generation or object-file layout that I regret this choice? Absolutely! But overall, both progress and developer happiness are much better.

A couple of points:

• The efficacy of compiler optimisations follows a pareto distribution (see e.g.). Llvm’s investors really need (or, at least, think they need) those extra few single-digit %; if you don’t, you may be able to get away with something much smaller that still works pretty well.

• Llvm is not the be-all and end-all of compilers—it is very much a product of its time, and taking advantage of developments since its creation allow the creation of a compiler generating code of a given degree of quality for appreciably less effort and code. Redundancies in its ir mean that optimisations may, to a great extent, be brute-forced where a more unified mechanism would serve better. The example I always use is this. It is not per se a problem that the code for g is suboptimal—getting that right involves annoying cost models that may not generalise from a three-line function. But it is a problem that the compiler is able to tell the difference between f and g (and note llvm and gcc both fall down in exactly the same way, and for the same reason).

Bootstrapping is quite a goat carnage, and you have to do it, because it moves pretty quickly and regressions are pretty abundant, so your distro’s/Homebrew’s/whatever packages tend to be useless if you want to develop against it, you start getting into weird bugs as soon as you do something non-trivial.

That’s not been my experience in recent releases (after about LLVM 8). I’ve maintained out of tree things that had a small abstraction layer to paper over differences and were able to build against 3-4 LLVM releases. The opaque pointer work has taken a long time to and and was a big change, but it was also supported with a very long (multi-year) deprecation period where you could build code that was conditional on whether the current version was built with opaque pointers or not.

I don’t know how well it works in practice

We use it to bootstrap Zig, so it works at least that well.

what the performance is like compared to the LLVM backend

The C backend compiles Zig code to C code, so performance is up to the C compiler that you end up using.

Go is considered high performance by people comparing it to Python, it is much slower than C++ for a lot of things. The go front end for GCC was much faster for single threaded execution but used one pthread per goroutine, so ended up being slower overall. I don’t know if this was ever fixed.

Zig is MIT licensed, so nobody should have any issue with it.

Thanks. I actually think effect systems are going to find use in the future in many languages. I was thinking of describing eyg as a strongly typed Lua for a while. And dropping the structural editor, but for now I’m keen to keep both experiments going. even if it makes the language a bit more niche in the meantime.

Here’s a temporary pastebin with that program in Rust generated by both ChatGPT’s. Is this good or bad Rust? Or something else entirely?

After writing an OS in C++, I really hate having to go back to C. I have to write far more code in C, and (worse) I have to think about the same things all of the time. Even just having RAII saves me a huge amount of effort (smart pointers are a big part, but so is having locks released at the end of a scope). For systems code, data structure choice is critical and C++ makes it so much easier to prototype with one thing, profile usage patterns, and then replace it with something else later.

a) this started in 2002 when half that stuff didn’t exist, and

b) C++ is a hateful morass of bullshit and misdesign, and that won’t change until they start removing things instead of adding it.

Yes, I am biased. Not going to change though.

It’s been a long time (over a decade) since I had to deal with GC problems being noticeable at an application level. A lot of these problems disappeared on their own, as computers became faster and GC algorithms moved from the drawing boards into the data center. (I was working on software for trading systems, algo trading, stock market engines, operational data stores, and large scale distributed systems. Mostly written in Java.)

In the late 90s, GC pauses were horrendous. By the late aughts, GC pauses were mostly manageable, and we had had enough time to work around the worst causes of them. Nowadays, pauseless GC algorithms are becoming the norm.

I still work in C and C++ when necessary, just like I still repair junk around the house by hand. It’s possible. Sure, it would be far cheaper and faster to order something brand new from China, but there’s a certain joy in wasting a weekend trying to do what should be a 5 minute fix. Similarly, it’s sometimes interesting to spend 40 person years (e.g. a team of 10 over a 4 year period) on a software project in C++ that would take a team of 5 people maybe 3 months to do in Go. Of course, there are still a handful of projects that actually need to be built in C or C++ (or Rust or Zig, I guess), but that is such a tiny portion of the software industry at this point, and those people already know who they are and why they have to do what they have to do.

You said “It just doesn’t make any sense to use these languages for anything that requires fine-grained control over the execution.” But how many applications still require that level of fine grained control?

But what problem are you actually trying to solve? Can you bootstrap the compiler (written in language X) when no existing compilers exist for language X? If you have to do this by implementing a compiler or interpreter for Y, then this makes sense only if Y is significantly simpler than X or if you can assume that an implementation of Y exists. WebAssembly is quite a complex language with a lot of features that are intended to make it possible to statically verify very coarse-grained memory safety and control-flow integrity properties. You’re also going to need at least WASI to be able to do I/O, so there’s a lot more in the embedding than just WebAssembly. SPARC, MIPS, and RISC-V are all simpler than WebAssembly, so you could just ship a binary for these and a spec for the architecture and a UART that you feed source into and get binaries out of. For any non-aliens use case, you can just run it in QEMU.

That’s never the problem I’m trying to solve with bootstrapping though. The problem that I am trying to solve is how do I get a binary for the compiler that I am reasonably confident that I can trust. If my FreeBSD/AArch64 FooLang compiler needs me to run a Linux/x86-64 FooLang compiler to cross-compile the first version and the Linux version of the compiler needs ten different versions to be built with eachother to get from source code to a binary, then there are a lot of places where someone could have inserted a trojan. Going via WebAssembly on the Linux/x86-64 -> FreeBSD/AArch64 step doesn’t address any of that, it still puts every single version of the Linux compiler in my TCB. It also isn’t easier to use.

No one bothers to solve this problem for C (and, increasingly, not for C++) because C/C++ compilers are assumed to be trusted for no good reason, and so the usual dodge is to write a bootstrap compiler in C/C++, then:

• Build a compiler (A) with the bootstrap compiler.
• Build a compiler (B) with the result of the bootstrap compiler.
• Build a compiler (C) with B.
• Check that B and C are bitwise identical.

If they are, then you can be moderately confident that the bootstrap compiler produces semantically equivalent output to your original.

The “Holy Trinity” is an older name for God as one being of three persons. People have a history of taking his name in vain or re-applying it in different ways. His names, like His creation, are meant to give Him glory. I just point it back to Him when I see it.

That said, I thank you for sharing the link. It’s very interesting. On top of mathematical education, there’s even another theological concept in it which is potentially useful:

“The central dogma of computational trinitarianism holds that Logic, Languages, and Categories are but three manifestations of one divine notion of computation. There is no preferred route to enlightenment: each aspect provides insights that comprise the experience of computation in our lives.”

This is great wording for a concept that’s hard to explain. One indeed similar to the Trinity. We have God existing as His own essence with all His properties (or nature). Then, each person has their own attributes, sets an example for us, takes seemingly-independent action, and are highly interdependent. After describing specifics, one might say something similar to the above quote: “each aspect provides insights that represent the experience of God moving in our lives.”

This might be another example where God creates things on earth to be shadows of things in heaven to help us understand them and marvel at Him.

“The flip side of that is that rewriting the network stack in Rust is a lot more effort than recompiling it with CHERI. “ “assuming CHERI hardware”

Which leads to the real problem. The market has tanked or forced a detour on [almost?] every company that bet on secure hardware for about sixty years. B5000 had some memory safety in 1961. System/38 had capability security. The market chose against those techniques for raw price/performance, integration, and backward compatibility. Even today, they’d be more likely to avoid really leveraging MCP or IBM i for security. In embedded, people avoided secure processors (esp Java CPU’s) for similar reasons. Even mid-sized to high-profit companies mostly avoided RTOS’s like INTEGRITY-178B and hypervisors like LynxSecure to a fraction of a percent of their costs.

Intel had it worse. Schell said a Burroughs guy at Intel added segments to x86 for him which secure OS’s used (eg GEMSOS). Market was mostly annoyed with and didn’t use that. Then, Intel lost billions on i432, i960, and Itanium. I liked i960MX, Secure64 built on Itanium, and companies using both had to port later. Azul’s Vega’s were safest bet since you can hide them underneath enterprise Java but they got ditched IIRC. It looks like market suicide to make or target a secure, clean-slate architecture. Whereas, memory-safe languages and software-level mitigations have been getting stronger in the market over time.

I really like your work on CHERI because it stays close to existing architectures vs dumping compatibility. Others took too many design risks. Yet, we’ve seen the RISC market abandon good RISC’s, the server market abandon good server CPU’s, and Java abandon Java CPU’s. The reasons appear to be:

1. The market-leading CPU’s had highest performance-per-dollar-per-watt-per-etc. Even if prototypes met specs, the same design might not meet spec requirements in full-custom, high-speed CPU’s.

2. Compatibility with x86. That still dominates much of the desktop and server market. There’s a lot of reasons to think it would be harder to get right than ARM or RISC-V. The ARM market for non-embedded is huge now, though.

3. For enterprises, integration into server boards they can plug into their kind of infrastructure. These things need to be ready to go with all the extras they like having on them. For consumers, it’s whatever goes into their phones and stuff.

4. Integration with common, management software that lets them deploy and administer it as easily as their Windows and Linux machines. Now maybe on clouds, too. For consumers, integration with their favorite apps.

Whoever sells secure hardware in major markets has a tremendous investment to do in hardware/software development. There’s lots of ASIC blocks, prototype boards, ports, and so on. After all that is spent, they still have to sell it at or near cost of everything else to be competitive.

That said, embedded and accelerator cards are the best bets. Might spur on the risk-adverse markets, too. Your project is in one category but still with some of the risks. Accelerator cards would be things like ML boards, baseband boards, etc. I was hoping Cavium slapped secure CPU’s on their network processors but they went to ARM. Same pattern. I’m glad ARM has a CHERI prototype.

Meanwhile, I encourage people to do R&D in all directions, including rewrites and transpilers, in case secure hardware never arrives, is hard to buy, or the company goes bankrupt. (Again, again, and again.)

CHERI also makes both garbage collection and formal verification of certain properties easier.

Rust developers regularly give up on fighting the borrow checker and switch to some form of reference counting (which is less efficient than a garbage collector). Making garbage collection less of a performance barrier opens up a market for programming languages that target infrastructure code. That’s not to say it’s not possible to get rid of (A)RC within RUST, just that a language built for CHERI would offer a more efficient use of a given engineering budget.

Rust doesn’t provide any formal guarantees, even in the intermediate representations. CHERI’s formally verified architecture makes it easier to prove some security properties across programming languages and down the binary level.

I don’t understand the last sentence in your comment. You most definitely can write C++ code that expresses this kind of state machine and it’s one of the reasons that I prefer C++ to C for embedded development.

Here is a comment from 6 days ago that states essentially the opposite. Who’s one believe..? Life is so confusing… Brings to mind this quote by Bertrand Russell:

The fundamental cause of the trouble is that in the modern world the stupid are cocksure while the intelligent are full of doubt.

I think it’s important to point out that hardware w/o capability enforcement is probably going to continue to exist for a very long time, so if you’re going to write new code, you may as well do it in a language that protects you in both cases.

for a lot of attacks a runtime crash is as good as an overrun.

I don’t think I’d agree with that. The goal of most widely deployed mitigations is to take a bug that can attack confidentiality or integrity and turn them into attacks on availability. In general, security ranks the tree properties, in descending importance, as:

1. Integrity.
2. Confidentiality
3. Availability.

A breach in integrity lets the attacker corrupt state and can usually be used to attack the other two. Breach in confidentiality may leak secrets that the rest of your security depends on (see: heartbleed), or commercially or personally sensitive information with potentially very expensive implications for a long time, including the reputational cost of reducing trust, A breach in availability may cost some money in the short term, but that generally matters only in safety critical systems.

It’s also much easier to build in resistance to availability issues higher up in a system. If you are running a datacenter service and an attacker can compromise it to do their own work or leak customer data, that’s likely to cost millions of dollars. If they can crash a node, you restart it and block the attacking IP at the edge. You also record telemetry and fix the bug that they’re exploiting. As soon as the fix is deployed, the attack has no lasting effect. If they were able to install root kits or leak your customers’ data, the impact of the attack may extend for years after the breach.

Oh, and on the memory leak side: we can’t prevent it, but we can 100% accurately identify pointers in memory, so we can provide sanitisers that check it with periodic scans.

I enjoyed your article. I also liked seeing Jim Gray in your links on the bottom. To build on some things, here’s three gifts that you might enjoy (all PDF’s):

Fault-Tolerance in Computer Systems which thoroughly describes the architecture Gray et al built.

An Architectural Overview of QNX which describes a microkernel with lightweight processing, message passing, and high reliability. That’s been powering all kinds of things for decades. Probably lessons to learn from it.

Microreboots applied the restart concept a bit further in a Java stack. The paper does a good job of covering the many failures and components one might want to consider.

it perhaps makes sense to weaken the existing association first.

Please don’t do this.