Stream: wg-secure-code

Topic: scudo / gwpasan


Alex Gaynor (Nov 28 2019 at 15:48, on Zulip):

If anyone's interested in a project, getting rust to support the scudo allocator (which llvm packages as a sanitizer) would be a useful task https://llvm.org/docs/ScudoHardenedAllocator.html

My primary interest in scudo is that it bundles gwp-asan by default (gwp asan is basically a sampling version of asan, which is low enough overhead to ship in production), it's described https://llvm.org/docs/GwpAsan.html and here https://www.youtube.com/watch?v=RQGWMLkwrKc. Making gwp-asan trivial for rust would be great from the perspective of increasing safety of unsafe code

Shnatsel (Nov 29 2019 at 00:26, on Zulip):

Wait, gwp-asan is open-source? Yay!

Shnatsel (Nov 29 2019 at 00:27, on Zulip):

Dear Seht... is that a retconned recursive acronym?

Shnatsel (Nov 29 2019 at 00:36, on Zulip):

Sadly I don't see it as low-hanging fruit that would increase safety universally. GWP-ASAN is a very particular thing that only helps if you have a very large number of deployments and also a system to collect crash reports from the deployments, which very few entities have, and those are mostly large companies.

Alex Gaynor (Nov 29 2019 at 15:39, on Zulip):

It's true that gwp-asan requires some good infra to get the most out of it, but I think there's already plenty of rust packages that are widely used in contexts where people would file bugs (e.g. rg).

Last update: Dec 12 2019 at 01:20UTC