Rendered at 00:50:15 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
alilleybrinker 9 hours ago [-]
The section on how to do software assurance of unsafe code in Rust is excellent.
A lot of prior guidance I've seen tends to stop at the level of running Miri, but (as the article says) there are things Miri won't catch. The model-based tests with a known-good oracle and the use of fault injection (especially panic-related behavior) are really good.
Safety in the face of panics in Rust can be hard to reason about, and the standard library itself has made errors with those semantics in the past.
Great work Rain and Oxide for building something so useful and assuring it so robustly!
sunshowers 9 hours ago [-]
Thanks Andrew! Honestly I learned so much about what makes unsafe Rust so hard from building iddqd.
epilys 3 hours ago [-]
Hi Rain, have you considered fuzzing? and if not, why?
(Thanks for cargo-nextest btw!)
sunshowers 3 hours ago [-]
Since iddqd works on structured data, the model-based tests (while not being coverage-guided) do a lot of the kinds of things fuzzing would do against an algorithm which accepted unstructured data. In principle the bitstream from which structured data is generated could be provided by a fuzzer rather than the system RNG, but proptest makes that somewhat inconvenient. It's possible the newer Hegel library makes that easier, though.
A lot of prior guidance I've seen tends to stop at the level of running Miri, but (as the article says) there are things Miri won't catch. The model-based tests with a known-good oracle and the use of fault injection (especially panic-related behavior) are really good.
Safety in the face of panics in Rust can be hard to reason about, and the standard library itself has made errors with those semantics in the past.
Great work Rain and Oxide for building something so useful and assuring it so robustly!
(Thanks for cargo-nextest btw!)
(You're welcome!)