After jumping from no-embedded-knowledge to a forced situation where I needed to produce something working, I've played a bit with Rust-for-Embedded, and it has exactly this approach when working with various ports and devices (UART, clocks etc.). And oh by is this approach practical! While still very possible, it does make a large move towards compiler not letting you shoot in the foot.
MBCook 41 minutes ago [-]
This is something I’ve always wanted from a type system, or a way to make it if you can easily make custom types. Especially for strings, bags of bytes are easier. Seems like it could help in a lot of circumstances with security issues.
Writing a web app? All user input is untrusted until you process it. And if Untrusted<String> can’t be converted to String accidentally then it forces the programmer to think about it.
Unfortunately in Java (my everyday language) this isn’t feasible. I’d want to be able to join or process Untrusted<String> the same as normal. Really it would need to be built into the stars library.
Back to the article it sounds like this could work really well for the kernel. I hope this kind of idea catches on outside of that.
lock1 27 minutes ago [-]
Why is that not feasible? You could define `Untrusted<T>` container and `.map()` in Java just fine.
lock1 1 hours ago [-]
Interesting.
Though it reminds me of Alexis's "Parse, don't validate", isn't `syscall :: u8 -> Untrusted<u8>` considered as "validate"?
I hope kernel codes that consume it will transform it to appropriate type as well `Untrusted<u8> -> T`.
vlovich123 1 hours ago [-]
The kernel is different because it’s not safe to access Untrusted until you copy it locally. Only then can you start parsing. Otherwise you run the risk of TOCTOU security vulnerabilities parsing user space input which then changes the next time you try to access it.
Untrusted doesn’t validate - it just ensures you don’t accidentally access the data until you’ve ingested data that could be potentially attacking you.
Rendered at 05:04:36 GMT+0000 (Coordinated Universal Time) with Vercel.
Writing a web app? All user input is untrusted until you process it. And if Untrusted<String> can’t be converted to String accidentally then it forces the programmer to think about it.
Unfortunately in Java (my everyday language) this isn’t feasible. I’d want to be able to join or process Untrusted<String> the same as normal. Really it would need to be built into the stars library.
Back to the article it sounds like this could work really well for the kernel. I hope this kind of idea catches on outside of that.
Though it reminds me of Alexis's "Parse, don't validate", isn't `syscall :: u8 -> Untrusted<u8>` considered as "validate"?
I hope kernel codes that consume it will transform it to appropriate type as well `Untrusted<u8> -> T`.
Untrusted doesn’t validate - it just ensures you don’t accidentally access the data until you’ve ingested data that could be potentially attacking you.