Memory safety is a matter of life and death
Memory safety is a matter of life and death
内存安全关乎生死
In 2018, Saudi journalist Jamal Khashoggi’s fiancée’s phone was hacked. Later that year, Khashoggi walked into the Saudi Arabian consulate in Istanbul to obtain documents related to his planned marriage, and left two hours later in a body bag. It’s easy to forget that the work we do affects real people. It’s easy to feel, if only unconsciously, that the point of programming is to be mathematically beautiful or fun to use. It’s easy to forget that buffer overflows aren’t just bad in the abstract, but that sometimes, they get real people killed. And it’s about to get much, much worse.
2018 年,沙特记者贾迈勒·卡舒吉(Jamal Khashoggi)未婚妻的手机遭到黑客攻击。同年晚些时候,卡舒吉走进沙特驻伊斯坦布尔领事馆办理结婚相关文件,两小时后却变成了一具尸体。我们很容易忘记,我们的工作会影响到真实的人。我们很容易(哪怕是下意识地)认为编程的意义在于数学上的美感或使用的乐趣。我们也很容易忘记,缓冲区溢出不仅仅是抽象意义上的“糟糕”,有时它们真的会害死人。而且,情况即将变得糟糕得多。
In my day job, I work on a security team, so I have access to hard data and water cooler talk with colleagues at Google and elsewhere about agentic bug-finding models, which are behind what the security industry has coined the “vulnpocalypse”. For the past few weeks, I’ve been repeatedly asked the same question: “Mythos. Is it really that bad?” In a word: Yes. The point of this post isn’t to adjudicate this claim, so in lieu of a serious argument, I’ll just leave you with this graph courtesy of Firefox:
在日常工作中,我身处安全团队,因此能接触到硬数据,也能与 Google 及其他公司的同事交流关于“代理式漏洞挖掘模型”的内幕,这些模型正是安全行业所称的“漏洞末日”(vulnpocalypse)背后的推手。过去几周,我被反复问到同一个问题:“Mythos,真的有那么严重吗?”简而言之:是的。这篇文章的目的不是为了论证这一观点,所以与其进行严肃的辩论,不如直接展示 Firefox 提供的这张图表:
Many factors will determine the long-term equilibrium of vulnerability discovery, but that equilibrium will take many years to reach. Regardless of how that plays out in the long term, the medium term impact is clear: memory-unsafe open-source software is not ready for high-quality bug-finding agents to be made widely available. It is expected that broad availability will happen at some point this summer, and when it does, few open source programs written in memory-unsafe languages will be safe from catastrophic exploits.
许多因素将决定漏洞发现的长期平衡,但达到那种平衡还需要很多年。无论长期结果如何,中期影响显而易见:内存不安全的开源软件尚未做好准备,无法应对高质量漏洞挖掘代理的广泛普及。预计这种普及将在今年夏天某个时候发生,届时,很少有使用内存不安全语言编写的开源程序能免受灾难性攻击。
Many actors will use these exploits to steal identities, or steal money, or commit other run-of-the-mill cyber crimes. But some will use these exploits to kill people. I am not being hyperbolic when I say that when these agents are made available, more people will die. While memory safe languages are not a panacea, they will prevent the majority of these vulnerabilities (a typical estimate is 70%), and they will prevent the highest-impact of these vulnerabilities. This makes switching to memory safe languages a moral imperative.
许多攻击者会利用这些漏洞窃取身份、钱财或进行其他常规网络犯罪。但有些人会利用这些漏洞去杀人。我说“当这些代理工具普及后,会有更多人死亡”时,绝非危言耸听。虽然内存安全语言并非万能药,但它们可以预防绝大多数此类漏洞(通常估计为 70%),并能阻止其中影响最大的漏洞。这使得转向内存安全语言成为一种道德上的必然。
Alternatives such as Carbon are being developed, and other languages with different performance characteristics like Go or Java exist. However, when it comes to memory safe languages which are already in production and which impose no overhead relative to C or C++, Rust is the only option. Therefore, it is a moral imperative: Rust must succeed.
目前像 Carbon 这样的替代方案正在开发中,也有 Go 或 Java 等具有不同性能特征的语言存在。然而,谈到那些已经投入生产环境且相对于 C 或 C++ 没有性能开销的内存安全语言时,Rust 是唯一的选择。因此,这是一个道德上的必然:Rust 必须成功。
I am honored to call many people in the Rust community some of my closest friends. I have heard their stories at conferences, and over drinks, and on Zulip threads and Jitsi meetings. We have come to Rust for many different reasons (although they usually involve some form of nerd sniping). While the community has had its struggles, as any open source community does, it has always been an absolute blast – in our better moments, we have been kind to each other and written amazing software. To paraphrase Scott McNealy, we have “kicked butt, had fun, and changed computing forever.” I don’t see why we can’t keep having fun with Rust for the rest of our lives.
我很荣幸能与 Rust 社区中的许多人成为挚友。我在会议上、酒桌旁、Zulip 讨论串和 Jitsi 会议中听过他们的故事。我们出于各种不同的原因来到 Rust(尽管通常都涉及某种形式的“极客挑战”)。虽然社区经历过挣扎,正如任何开源社区一样,但它一直都非常棒——在我们最好的时刻,我们彼此友善,编写出了令人惊叹的软件。套用 Scott McNealy 的话,我们“大获全胜,乐在其中,并永远改变了计算领域”。我不明白为什么我们不能在余生中继续享受 Rust 带来的乐趣。
But at the same time, we must acknowledge a hard truth: of the billions of people our software touches, only a tiny fraction know what a pointer is. To these people, it’s irrelevant whether Rust is beautiful or fun. But for some of these people, if Rust doesn’t succeed, they will die.
但与此同时,我们必须承认一个残酷的事实:在我们软件触及的数十亿人中,只有极少数人知道什么是指针。对这些人来说,Rust 是否优美或有趣毫无意义。但对其中一些人而言,如果 Rust 不成功,他们就会丧命。
My dad and sister are both doctors, and I’ve always admired how they show up to work every day and face the weight of real, life-and-death consequences. The connection between their work and the lives of real people is immediate. One contrast that I’ve seen between their industry and our own is how they measure what is important. Imagine that your parent had a worrisome lump on an annual physical and went to the radiologist to get it checked out. Imagine that the radiologist could choose a highly-accurate imaging technology, but instead they chose one with a high false-negative rate. You would be furious that this radiologist was jeopardizing your parent’s life, and it wouldn’t make you feel any better if the radiologist tried to reassure you that the technology they chose used a cleverer design, or had a better user interface, or made them feel nostalgic for when they were in med school. The radiologist’s job is to treat your parent, and everything else is secondary.
我的父亲和姐姐都是医生,我一直很钦佩他们每天上班时所面对的真实、关乎生死的沉重后果。他们的工作与真实生命之间的联系是直接的。我发现他们的行业与我们行业之间的一个对比在于:他们如何衡量什么是重要的。想象一下,你的父母在年度体检中发现了一个令人担忧的肿块,并去放射科进行检查。想象一下,放射科医生本可以选择一种高精度的成像技术,却偏偏选择了一种假阴性率很高的技术。你会因为这位医生危及你父母的生命而愤怒,如果医生试图用“所选技术设计更巧妙”、“用户界面更好”或“让他们怀念医学院时光”来安慰你,你绝不会感到好受。放射科医生的职责是治疗你的父母,其他一切都是次要的。
Whatever the reason we each got into Rust, and whatever keeps us going, we have a new responsibility that most of us never asked for: people are now depending on us for their survival. They depend on Rust being secure. But more importantly, since Rust is already the most secure systems language in existence, they depend on Rust succeeding.
无论我们每个人是因为什么原因接触 Rust,也无论是什么支撑着我们继续前行,我们现在都肩负着一项大多数人从未要求过的全新责任:人们的生存现在依赖于我们。他们依赖于 Rust 的安全性。但更重要的是,由于 Rust 已经是现存最安全的系统语言,他们的生存依赖于 Rust 的成功。
I wrote this post as a celebration that we have built a language so secure that people’s lives depend on projects choosing it. We should be immensely proud of what we’ve accomplished. But I also wrote it as a call to arms. Now more than ever, it is important that Rust succeed. In the coming months and years, we will need to make hard choices. We cannot be all things to all people. We will need to prioritize some use cases over others. We must think of progress and consensus as virtues in and of themselves. We must learn to recognize when having a consensus is more important than having the right consensus, and in these cases, to pick progress over stagnation.
我写这篇文章是为了庆祝我们构建了一种如此安全的语言,以至于人们的生命都依赖于项目对它的选择。我们应该为所取得的成就感到无比自豪。但我写这篇文章也是为了发出战斗号角。现在比以往任何时候都更需要 Rust 取得成功。在未来的几个月和几年里,我们将不得不做出艰难的选择。我们无法满足所有人的所有需求。我们需要优先考虑某些用例。我们必须将进步和共识本身视为美德。我们必须学会识别何时“达成共识”比“达成正确的共识”更重要,在这些情况下,要选择进步而非停滞。
Whether it’s C++ interop, or auditability, or any other un-glamorous feature which will nonetheless increase Rust adoption, we will have to hold our noses, wade into the muck, and get the work done. I want to keep having fun, and thinking deep thoughts, and writing great code. I don’t want to give up what has made Rust a joy to participate in. But I also don’t want people to die. If that means having a little less fun and being a little more serious, then I believe in our community’s ability to rise to the occasion.
无论是 C++ 互操作性、可审计性,还是任何其他虽然不光鲜但能提高 Rust 采用率的功能,我们都必须硬着头皮,深入泥潭,把工作完成。我希望能继续享受乐趣,进行深入思考,编写出色的代码。我不想放弃那些让参与 Rust 变得快乐的东西。但我也不想看到人们死去。如果这意味着少一点乐趣、多一点严肃,那么我相信我们的社区有能力迎接这一挑战。