MSRC-Security-Research
win32metadata
MSRC-Security-Research | win32metadata | |
---|---|---|
9 | 27 | |
1,292 | 1,281 | |
0.4% | 0.5% | |
5.1 | 0.0 | |
7 months ago | 3 days ago | |
Python | C++ | |
Creative Commons Attribution 4.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
MSRC-Security-Research
-
A reactionary take on memory safety
You’ll find more primary sources across different organizations that all arrive at the 60 - 70% number. But what really grinds my gears here is that you take a piece from the article you’re criticizing and pretend that it’s a quote from Matt Miller.
It’s actually quite easy to find a primary source here because the slides from the talk that the article is based on are available: https://github.com/microsoft/MSRC-Security-Research/blob/mas...
To quote from those slides: „~70% of the vulnerabilities addressed through a security update each year continue to be memory safety issues“.
-
Zig and Rust
> It's still bizarre though that Rust is capturing such ridiculous mindshare.
I don't think it's that bizarre. The two big headline features that bring Rust such popularity are: #1 "70% of bugs are memory-safety bugs" [1] and Rust can help solve those, and #2 C/C++ have a couple of package manager solutions - none of which have critical mass and Rust "comes with" cargo.
Those two make me really eager to continue experimenting with Rust.
> It seems to be a temporary low-level programming zeitgeist driven by YouTube and Reddit recommendation algorithms to an audience that has never done it and probably never will.
This is some weird gatekeep-y kinda thing. Most of us didn't start out with low-level programming. Wouldn't it have been odd and frustrating for someone to tell your younger self that you have "never written C and probably never will"?
[1] https://github.com/microsoft/MSRC-Security-Research
-
Will Carbon Replace C++?
https://github.com/microsoft/MSRC-Security-Research/blob/mas...
- How CastGuard Works [BHUSA 2022]
-
Arm releases experimental CHERI-enabled Morello board
Windows is likely a big task for the same reasons as SMAP (https://github.com/microsoft/MSRC-Security-Research/blob/mas...). XNU should be comparable to FreeBSD, which CheriBSD is a fork of, as both use Mach's VM for memory management and have a bunch of shared code in various places, but userspace is more of an unknown quite how much effort it'd be (you'll need to port Objective-C and, now, Swift, for example). For Chromium we have ported WebKit, so I'd imagine Blink isn't too dissimilar. V8 is likely interesting, though we have a version of WebKit's JSC JIT for Morello, which gives confidence in V8 being doable.
- Security Analysis of CHERI ISA
- Security Analysis of Cheri ISA [pdf]
-
BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
A related post from Google Security Blog[0]:
> "A recent study[1] found that "~70% of the vulnerabilities addressed through a security update each year continue to be memory safety issues.” Another analysis on security issues in the ubiquitous `curl` command line tool showed that 53 out of 95 bugs would have been completely prevented by using a memory-safe language. [...]"
[0]: https://security.googleblog.com/2021/02/mitigating-memory-sa...
[1]: https://github.com/Microsoft/MSRC-Security-Research/blob/mas...
-
Rust for Windows
Here is some of the internal advocacy going on at Microsoft.
- Managed languages if you can afford a GC
- Rust
- C++ with Core Guidelines
https://github.com/microsoft/MSRC-Security-Research/tree/mas...
Note that there are still some teams like Azure Sphere and Azure RTOS, which are only providing C based SDKs, so no everyone is on the same wave length.
win32metadata
-
Hey Rustaceans! Got a question? Ask here (18/2023)!
As /u/huellenoperator notes, that this needs a pointer to a mutable string comes straight from microsoft through win32metadata. Maybe it's a mistake on Microsoft's side, but if it's not you're taking big risks.
-
Kernel Headers for Windows could soon make it into windows-rs
Microsoft offers official "bindings" to Win32 APIs through win32metadata. However, until recently, it did not include metadata for kernel-level functions or WDK. In early 2021, an issue was raised through windows-rs regarding this limitation, but progress was slow until now. Microsoft has finally released official metadata for WDK, which can be found on the wdkmetadata repository. The latest comment on the issue thread can be found here:
-
winreader: read memory from other programs
for win32metadata's kernel api tracking issue, https://github.com/microsoft/win32metadata/issues/401
-
Best windows stubs
Any examples? Since the API bindings in windows-sys are generated from the metadata generated from official Windows SDK headers I'd not expect to see this kind of difference.
-
can we be free of c?
You might also look at this project: https://github.com/microsoft/win32metadata
-
Is it time to retire C and C++ for Rust in new programs?
There is still the occasional incredibly subtle link time fuckery in Rust.
https://github.com/microsoft/win32metadata/issues/1274
"Minor" semver updates to crates breaking things via e.g. unexpected MSRV bumps is pretty common too, with some resulting bitrot. That said, I agree with you that things in Rust are at least better. Imperfect, but better.
-
Are there any Windows-centric perks of using C# that other non-Microsoft languages simply can't offer (or at least don't out of the box)?
Win32 is available as metadata to enable adoption in as many languages as possible. Are there some things missing? Yes. The Microsoft team acknowledges that and encourages asking for the things you need so they can add them to the metadata.
-
Using Windows API in Julia?
It might be interesting to have bindings generated for the entirety of Win32 API through https://github.com/microsoft/win32metadata
- Would std code for Windows ever use the windows crate by Microsoft?
-
The Atrocities of COM win32 headers
Hi JB! Funny to cross paths with you in this context. I don't know if you remember me but I was a rookie programmer who got the pleasure of joining the VideoLan Conference in Dublin back in 2014, and then Paris the next year, and you were very kind to me.
The GitHub issue title here is unfortunately misleading. I have renamed it to "ideas to improve windows header files and libc". Also, I hope it is clear that I rebutted the points made by the OP, because I completely agree with your summary that the mingw-w64 people are skilled, nice and very clever and think about all use cases.
If any drive-by HN readers work at Microsoft, please help us with this issue: https://github.com/microsoft/win32metadata/issues/766
What are some alternatives?
rust-zmq - Rust zeromq bindings.
rust-bindgen - Automatically generates Rust FFI bindings to C (and some C++) libraries.
wuffs - Wrangling Untrusted File Formats Safely
JNA - Java Native Access
PowerShell - PowerShell for every system!
go - The Go programming language
windows-rs - Rust for Windows
winapi - Windows API declarations without <windows.h>, for internal Boost use.
Cargo - The Rust package manager
zig - General-purpose programming language and toolchain for maintaining robust, optimal, and reusable software.
winapi-rs - Rust bindings to Windows API
panama-foreign - https://openjdk.org/projects/panama