MSRC-Security-Research
json
MSRC-Security-Research | json | |
---|---|---|
9 | 41 | |
1,292 | 4,553 | |
0.4% | 1.8% | |
5.1 | 8.7 | |
7 months ago | 6 days ago | |
Python | Rust | |
Creative Commons Attribution 4.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
MSRC-Security-Research
-
A reactionary take on memory safety
You’ll find more primary sources across different organizations that all arrive at the 60 - 70% number. But what really grinds my gears here is that you take a piece from the article you’re criticizing and pretend that it’s a quote from Matt Miller.
It’s actually quite easy to find a primary source here because the slides from the talk that the article is based on are available: https://github.com/microsoft/MSRC-Security-Research/blob/mas...
To quote from those slides: „~70% of the vulnerabilities addressed through a security update each year continue to be memory safety issues“.
-
Zig and Rust
> It's still bizarre though that Rust is capturing such ridiculous mindshare.
I don't think it's that bizarre. The two big headline features that bring Rust such popularity are: #1 "70% of bugs are memory-safety bugs" [1] and Rust can help solve those, and #2 C/C++ have a couple of package manager solutions - none of which have critical mass and Rust "comes with" cargo.
Those two make me really eager to continue experimenting with Rust.
> It seems to be a temporary low-level programming zeitgeist driven by YouTube and Reddit recommendation algorithms to an audience that has never done it and probably never will.
This is some weird gatekeep-y kinda thing. Most of us didn't start out with low-level programming. Wouldn't it have been odd and frustrating for someone to tell your younger self that you have "never written C and probably never will"?
[1] https://github.com/microsoft/MSRC-Security-Research
-
Will Carbon Replace C++?
https://github.com/microsoft/MSRC-Security-Research/blob/mas...
- How CastGuard Works [BHUSA 2022]
-
Arm releases experimental CHERI-enabled Morello board
Windows is likely a big task for the same reasons as SMAP (https://github.com/microsoft/MSRC-Security-Research/blob/mas...). XNU should be comparable to FreeBSD, which CheriBSD is a fork of, as both use Mach's VM for memory management and have a bunch of shared code in various places, but userspace is more of an unknown quite how much effort it'd be (you'll need to port Objective-C and, now, Swift, for example). For Chromium we have ported WebKit, so I'd imagine Blink isn't too dissimilar. V8 is likely interesting, though we have a version of WebKit's JSC JIT for Morello, which gives confidence in V8 being doable.
- Security Analysis of CHERI ISA
- Security Analysis of Cheri ISA [pdf]
-
BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
A related post from Google Security Blog[0]:
> "A recent study[1] found that "~70% of the vulnerabilities addressed through a security update each year continue to be memory safety issues.” Another analysis on security issues in the ubiquitous `curl` command line tool showed that 53 out of 95 bugs would have been completely prevented by using a memory-safe language. [...]"
[0]: https://security.googleblog.com/2021/02/mitigating-memory-sa...
[1]: https://github.com/Microsoft/MSRC-Security-Research/blob/mas...
-
Rust for Windows
Here is some of the internal advocacy going on at Microsoft.
- Managed languages if you can afford a GC
- Rust
- C++ with Core Guidelines
https://github.com/microsoft/MSRC-Security-Research/tree/mas...
Note that there are still some teams like Azure Sphere and Azure RTOS, which are only providing C based SDKs, so no everyone is on the same wave length.
json
-
What even is a JSON number?
Oh wow. So serde_json doesn't roundtrip floats by default, it uses some imprecise faster algorithm https://github.com/serde-rs/json/issues/707
Good thing there's msgpack I guess.
-
I pre-released my project "json-responder" written in Rust
tokio / hyper / toml / serde / serde_json / json5 / console
-
Flow Updater JSON Creator
Serde JSON, an extension of the serde crate that enables the serialization and deserialization of Rust structs.
-
A Simple CRUD API in Rust with Cloudflare Workers, Cloudflare KV, and the Rust Router
To serialize and deserialize data, we'll employ the popular serde crate along with serde_json. This will allow us to easily convert between Rust types and JSON when working with API requests and responses. For async operations we'll use the Rust futures crate.
- Rust devs push back as Serde project ships precompiled binaries
-
Building a Rust app with Perseus
From the Cargo.toml file above, we can see that the Perseus version at the time of publication is 0.4.2 and has the following dependencies that are common to both the engine side (server-side) and client side of a Perseus application: sycamore, serde, and serde_json.
-
REST API in RUST with ntex
serde_json
-
Müsli - An experimental binary serialization framework with more choice
Number parsing uses a fairly naive but uses a lossless algorithm in musli-json. In serde_json they use a fork of lexical I haven't wrapped my head around. I wanted something simple to start with.
-
How can I deserialise this value?
Your best best would be to use an enum. Either your own or something like the one from serde_json depending on what you are trying to do.
-
Spotting and Avoiding Heap Fragmentation in Rust Apps
Don't do that if you care about memory usage. In your toy program, I wouldn't be surprised if memory usage was a lot better if you used Box instead. (even if it doesn't look like it, you can handle almost all the use cases of serde_json::Value with it, often not much less convenient)
What are some alternatives?
rust-zmq - Rust zeromq bindings.
serde - Serialization framework for Rust
wuffs - Wrangling Untrusted File Formats Safely
json-rust - JSON implementation in Rust
PowerShell - PowerShell for every system!
hjson-rust for serde - Hjson for Rust
windows-rs - Rust for Windows
pikkr - JSON parser which picks up values directly without performing tokenization in Rust
Cargo - The Rust package manager
serde-yaml - Strongly typed YAML library for Rust
winapi-rs - Rust bindings to Windows API
RapidJSON - A fast JSON parser/generator for C++ with both SAX/DOM style API