Memory-Safety

Josh and Kurt talk to Carol Nichols about Rust. Carol is an authority on Rust and helps us understand how Rust works, why it’s different. Why Rust doesn’t have the same problems C and C++ have, and what the future of it all could look like. It’s a really fun show with some great questions from Carol along the way. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_362_A_lesson_in_Rust_from_Carol_Nichols.mp3 Show Notes Carol Nichols on Mastodon The Rust Programming Language, 2nd Edition Rust book online Netflix tech blog on Java performance Rust in the context of Railroad Brakes Kees Cook blog - Bounded Flexible Arrays in C Consumer Reports on memory safety OSS-Fuzz and Rust

Josh and Kurt talk about the NSA guidance on using memory safety issues. The TL;DR is to stop using C. We discuss why C has so many problem, why we can’t fix C, and what some alternatives looks like. Even the alternatives have their own set of issues and there are many options, but the one thing we can agree on is we have to stop using C. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_360_Memory_safety_and_the_NSA.mp3 Show Notes NSA Releases Guidance on How to Protect Against Software Memory Safety Issues Drum memory and the story of Mel Netflix performance Discord Go vs Rust NVIDIA switch to Spark

Josh and Kurt talk about the recent OpenSSL nothingburger. OpenSSL got everyone whipped into a frenzy over a critical vulnerability, then changed the severity to high. The correct solution to this whole problem is to stop using a TLS library written in C, we need to be using memory safe languages. Don’t migrate from OpenSSL 1 to 3, migrate from OpenSSL 1 to Rustls. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_348_OpenSSL_is_the_new_lead_paint.mp3 Show Notes OpenSSL Blog Post OpenSSL pre-announcement Mark Cox Tweet 3.0 only affected GossiTheDog NDA Tweet Claims of a name and logo Rustls