Kernel buffer overflow exposes iPhone 11 Pro to radio based attacks
Bruce Carneal
bcarneal at gmail.com
Wed Dec 9 17:21:57 UTC 2020
On Wednesday, 9 December 2020 at 16:34:28 UTC, H. S. Teoh wrote:
> On Wed, Dec 09, 2020 at 04:02:46PM +0000, Bruce Carneal via
> Digitalmars-d wrote:
>> On Wednesday, 9 December 2020 at 13:28:14 UTC, Timon Gehr
>> wrote:
>> > On 09.12.20 14:06, Paul Backus wrote:
>> > > On Wednesday, 9 December 2020 at 08:29:58 UTC, Bruce
>> > > Carneal wrote:
>> > > > [...]
>> > >
>> > > This does not work for extern(C) functions because their
>> > > names are
>> > > not mangled.
>> >
>> > It does not even work for extern(D) functions because their
>> > return
>> > types are not mangled.
>>
>> I did not know this.
>>
>> If we lose information when we compile separately it's over.
>> If you can't close the proof you've got no proof.
>
> This has nothing to do with separate compilation. The C ABI
> simply does not encode parameter or return types, needless to
> say function attributes. The D ABI does not encode return type
> information, because doing so would imply overloading by return
> type, which is not possible in D.
If you compile from source @safe can be enforced because the
compiler has all the information it needs. However things are
represented in .o files and libs, if that representation does not
give you the necessary information then you can't enforce @safe
mechanically.
>
> You cannot "prove" anything in the way of proving it down to
> the raw machine level. At some point, you have to depend on
> the consistency of the layer below you. Just because you
> mangle return types, does not prevent lower-level breakage of
> your proof. For example, you can declare a @safe function at
> the D language level, but link it to a C function that just
> happens to have the same name as the mangled D name, and you're
> free to make this C function do whatever you want, and there's
> nothing the compiler can do to enforce anything. Just because
> the mangled name says it's safe, does not guarantee it's safe.
I agree. If your information is probabilistic then you do not
have a hard proof.
>
> Even if you somehow require the D compiler to take over the
> entire process down to the executable, bypassing the system
> linker, that still guarantees nothing. I can use a hex editor
> to modify the executable after-the-fact to break the @safe-ty
> proof, and there's nothing the compiler or the language can do
> about it. Even if you somehow "protect" your executable, I can
> run it on a modified OS that edits the program in-memory while
> it's executing, and there's nothing the language can do about
> it either.
No one can prove anything about a system that is modified after
it leaves the proof domain. Does anyone believe otherwise?
>
> Basically, the automatic verification of @safe, etc., relies on
> the consistency of the lower-level layers. It does not "prove"
> anything in the absolute sense. You might be able to do that
> if you invent your own hardware from ground up, starting from
> the transistor level. But you can't do that with a programming
> language that's intended to run on a large variety of
> preexisting systems. Just like in mathematical proofs, you can
> only prove down to the axioms, you cannot prove the axioms
> themselves. If the axioms are violated, your proof collapses.
Does anyone think otherwise?
> The guarantees of @safe only hold if certain assumptions about
> the lower-level layers hold; however, there is nothing you can
> do to guarantee that. You cannot prove your axioms, you can
> only assume them.
Again, I don't see this as an issue. As you note, there is
nothing any proof system can do when the "axioms" are violated.
We're not trying to prove that all HW is correctly implemented,
for example, or that it can withstand cosmic rays, or a power
spike or, for that matter, that an arbitrarily patched binary has
any properties at all.
I agree that, even within the compiled language domain, "proof"
is probably better thought of as aspirational rather than
literal. There may be errors in the "proof": compiler
implementation errors, language definition ambiguities/errors
that were "correctly" implemented, and probably other modes of
failure that I've not thought of.
However, I do not agree that because we can not prove everything
we should stop trying to prove anything.
Finally, thanks for bringing up some of the hazards of using the
word "proof" wrt computer systems.
>
>
> T
More information about the Digitalmars-d
mailing list