Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

July 4, 2016

Cybersecurity By Design?

Filed under: Cybersecurity,Programming,Rust — Patrick Durusau @ 9:08 pm

Shaun Nichols reports in Mozilla emits nightly builds of heir-to-Firefox browser engine Servo:

Mozilla has started publishing nightly in-development builds of its experimental Servo browser engine so anyone can track the project’s progress.

Executables for macOS and GNU/Linux are available right here to download and test drive even if you’re not a developer. If you are, the open-source engine’s code is here if you want to build it from scratch, fix bugs, or contribute to the effort.

Right now, the software is very much in a work-in-progress state, with a very simple user interface built out of HTML. It’s more of a technology demonstration than a viable web browser, although Mozilla has pitched Servo as a potential successor to Firefox’s Gecko engine.

Crucially, Servo is written using Rust – Mozilla’s more-secure C-like systems programming language. If Google has the language of Go, Moz has the language of No: Rust. It works hard to stop coders making common mistakes that lead to exploitable security bugs, and we literally mean stop: the compiler won’t build the application if it thinks dangerous code is present.

Rust focuses on safety and speed: its security measures do not impact it at run-time as the safety mechanisms are in the language by design. For example, variables in Rust have an owner and a lifetime; they can be borrowed by another owner. When a variable is being used by one owner, it cannot be used by another. This is supposed to help enforce memory safety and stop data races between threads.

It also forces the programmer to stop and think about their software’s design – Rust is not something for novices to pick up and quickly bash out code on.

Even though pre-release and rough, I was fairly excited until I read:


One little problem is that Servo relies on Mozilla’s SpiderMonkey JavaScript engine, which is written in C/C++. So while the HTML-rendering engine will run secured Rust code, fingers crossed nothing terrible happens within the JS engine.

Really?

But then I checked Mozilla JavaScript-C Engine – SpiderMonkey at BlackDuck | Security, which shows zero (0) vulnerabilities over the last 10 versions.

Other than SpiderMonkey vulnerabilities known to the NSA, any others you care to mention?

Support, participate, submit bug reports on the new rendering engine but don’t forget about the JavaScript engine.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress