Hacker News new | past | comments | ask | show | jobs | submit login
With 0-days hitting Chrome, iOS, and many more this month, is no software safe? (arstechnica.com)
25 points by Syonyk on Sept 13, 2023 | hide | past | favorite | 16 comments



I’ve often thought that it is impossible to 100% secure any software that accepts user input.

I wonder if it can be proven?


  def __main__():
    said = input("say something\r\n")
    print(said)
Now there may well be an exploit in the interpreter itself, but I'd say that's a very different thing.


You're in for a nasty surprise if (for whatever reason) this code is executed using Python 2:

https://docs.python.org/2/library/functions.html#input

    Equivalent to eval(raw_input(prompt)).


It can be proven false


Awesome! How?


It is possible to prove that a piece of code matches a given mathematical specification. That spec has to be good though, and there can still be hardware failures (e.g. bitflips), problems with the environment (if not proven correct as well), and more. It theoretically is possible though that way to at least 100% secure a not-too-complex piece of software by itself (without hardware).


Are we asking for the mathmatical answer (which I cant provide) or the practical answer (which most of us may take a stab at).


There's no promise that legacy software is safe. There's only a promise it exists, works, gets the job done and releases updates.


... except for software written in Rust, obviously.


... as if memory management issue is the only source of software vulnerability.


True but a reduction of 70% is nothing to sneeze at https://www.zdnet.com/article/microsoft-70-percent-of-all-se...


Only a small fraction of those 70% is memory management errors.


What do you mean? That 70% represents memory management errors.


70% are memory safety errors, a fraction of which are memory management errors.


Incorrect memory management leads to memory safety issues. That's what those words mean. You manage the memory, you get it wrong, you have a potentially exploitable memory safety issue. It sounds like you're just playing with words.


Fixing memory management errors fixes some memory safety issues, I agree with that, I only disagreed with your quantitative claim that you can fix all memory safety issues this way.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: