RISKS-LIST: Risks-Forum Digest Tuesday 22 June 2021 Volume 32 : Issue 72
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/32.72>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
GPS III's Long Journey Is Picking Up Speed (WiReD)
Why the Mexico City Metro Collapsed (NYTimes)
One stolen password gave hackers access to NYC's deepest secrets
(NYTimes PGN-ed)
Double-Encrypting Ransomware (WiReD)
Optional is not always optional (Bob Gezelter)
Facial Recognition Failures Are Locking People Out of Unemployment
Systems (Vice)
Doggie device prompts scare that closed CIA front gate,
spokeswoman says (WashPost)
This tech uses augmented reality to give surgeons 'superpowers'
(cnn.com)
Caps and Gowns and credit-card fraud (The Globe via David Tarabar)
Hard to fathom this having been a design goal... (Geek via GG)
Biomimetic resonant acoustic sensor detecting far-distant voices
accurately to hit the market (Techxplore.com)
Apple Says It's Time to Digitize Your ID, Ready or Not (WiReD)
What If Doctors Are Always Watching, but Never There? (WiReD)
End-to-End Verifiability Key to Future Election Security
(unidentified author via Gabe Goldberg)
Government Chatbots Now a Necessity for States, Cities, Counties
(GovTech)
Wabi-sabi software systems (Henry Baker)
CoVID dream (Rob Slade)
Bombshell Report Finds Phone Network Encryption Was Deliberately
Weakened (Vice via Lauren Weinstein)
Metrics and integrity -- and media? (Rob Slade)
Fake surveys? Real surveys? Who knows? (Lauren Weinstein)
Correlated errors in quantum computers emphasize need for design
changes (Sarah Perdue)
Apple's and Google's New AI Wizardry Promises Privacy, at a Cost (WiReD)
The Efforts to Make Text-Based AI Less Racist and Terrible (WiReD)
How Humans Think When They Think As Part of a Group (WiReD)
One-billion-dollar Bangladesh cybertheft in 2016 foiled by faulty
printer, random coincidence in street address, and a spelling error
(and perhaps deductible -- BBC and techxplore.com)
Re: Pipeline Investigation Upends Idea That Bitcoin Is Untraceable
(Stephen E. Bacher)
Re: New trains on Amtrak's Acela delayed a year by new round of testing
(John Levine)
Re: Encrypted Messaging App Run by the FBI Leads to Arrest of Over 100
Organized Crime Members (Stephen E. Bacher)
Re: Single-point failure (Adam Shostack)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 19 Jun 2021 13:16:11 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: GPS III's Long Journey Is Picking Up Speed (WiReD)
With the launch of a fifth new-generation satellite, the US finally has a constellation able to globally beam M-Code signals that are tough to spoof
or jam.
https://www.wired.com/story/gps-iiis-long-journey-is-picking-up-speed/
An autonomous ship's first effort to cross the Atlantic shows the difficulty
of the experiment
A nearly 50-foot-long ship set out on June 15 to sail from England to the United States autonomously. But a mechanical problem has forced its
designers to return it to port.
IBM and Promare had dispatched the 49-foot autonomous boat into the waters
off the coast of Plymouth, England, on Tuesday. The robotic boat was set to traverse the seas alone for the next few weeks until it reached Plymouth, Mass., the town where pilgrim travelers settled in 1620. But overnight Thursday, the ship-shaped android developed a *minor mechanical
issue*ßthat was significant enough for Promare to temporarily abort the mission. [..
So what went wrong? It's unclear. Early Friday morning, researchers
monitoring the voyage realized that the vessel was operating at about half
its optimal speed. The issue may be due to a cheap part untethering near the backup diesel engine, Phaneuf said. But it's hard to know since cameras
pointed at the ship's internal components don't capture everything.
``We could probably just go ahead and plod along, but we're running into the Gulf Stream, we're running into a couple of storms. Ordinarily that wouldn't
be a big deal. But if you don't have enough power to keep the boat going through wind currents and waves, we might have been stuck out there for a
very long time'' Phaneuf added.
https://www.washingtonpost.com/technology/2021/06/18/mayflower-ibm-autonomous-ship/
------------------------------
Date: Sun, 13 Jun 2021 12:09:53 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Why the Mexico City Metro Collapsed (NYTimes)
A *Times* investigation shows the serious construction flaws and political pressure behind a tragedy that threatens two of Mexico's most prominent figures.
But evidence from the crash site indicates that the metro''s flaws ran
much deeper than maintenance.
Underneath the tracks, the line that carried more than a quarter of a
million people around the Mexican capital every day was held together by bolt-like studs. Welded into steel and encased in concrete, they created a structure much stronger than either material on its own.
The strength of the overpass depended on those studs -- they were an
essential connection keeping it intact.
But photographs of the rubble point to a fundamental lapse during
construction: The welds holding everything together were far too weak. Photographs show that the studs broke clean off the steel beams, creating
what engineers called an unstable structure incapable of supporting the
train.
https://www.nytimes.com/interactive/2021/06/12/world/americas/mexico-city-train-crash.html
------------------------------
Date: Sun, 20 Jun 2021 20:28:48 PDT
From: Peter G Neumann <
neumann@csl.sri.com>
Subject: One stolen password gave hackers access to NYC's deepest secrets
Ashley Southall, Benjamin Weiser and Dana Rubenstein
*The New York Times*, 20 Jun 2021
Failure to use a simple and common security tool led to a breach
Conclusion: They did not use MFA (Multi-Factor Authentication).
[Simple? Not necessarily. Common? Not so much. Once again. so-called
best practices are not good enough. Even if New York City's Law
Department had used MFAs, the system was apparently configured so that
once an attacker managed to get inside, they had access to everything.
Principles such as Least Privilege, Compartmentalization, Separation of
Roles/Duties/Permissions/etc., and lots more should be practiced, not just
espoused. PGN]
------------------------------
Date: Tue, 15 Jun 2021 04:14:57 +0000
From: Bruce Schneier <
schneier@schneier.com>
Subject: Double-Encrypting Ransomware (WiReD)
CRYPTO-GRAM, June 15, 2021
by Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School
Schneier@Schneier.Com https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit crypto-gram's web page [
https://www.schneier.com/crypto-gram/].
Risks-excerpted ToC; #5 follows
1. Is 85% of U.S. critical infrastructure in private hands?
5. Double-Encrypting Ransomware
6. AIs and fake comments
14. Vulnerabilities in weapons systems
[2021.05.21] [
https://www.schneier.com/blog/archives/2021/05/double-encrypting-ransomware.html]
This seems to be a new tactic [
https://www.wired.com/story/ransomware-double-encryption/]
** Double-Encrypting Ransomware
Emsisoft has identified two distinct tactics. In the first, hackers encrypt data with ransomware A and then re-encrypt that data with ransomware B. The other path involves what Emsisoft calls a *side-by-side encryption* attack,
in which attacks encrypt some of an organization's systems with ransomware A and others with ransomware B. In that case, data is only encrypted once, but
a victim would need both decryption keys to unlock everything. The
researchers also note that in this side-by-side scenario, attackers take
steps to make the two distinct strains of ransomware look as similar as possible, so it's more difficult for incident responders to sort out what's going on.
------------------------------
Date: Sun, 20 Jun 2021 16:29:18 -0400
From: Bob Gezelter <
gezelter@rlgsc.com>
Subject: Optional is not always optional
While it is common to mark webform fields as *Mandatory* or *Optional*, *Optional*s not always optional.
Regulators require financial institutions to ``Know their customer.''
Knowing your customer generally includes an identity check against databases including driver's license, passports, and other identity documents, as well
as information such as vehicle ownership, land ownership and other public records.
I recently had occasion to fill out just such a form. The field for Middle Initial was marked as optional. Much to my surprise, the identity validation failed when I used my New York Driver's License. I tried again, using my US Passport. Validation failed again. Strange, I have been out of the country
many times and never had a problem re-entering. As a lark while on hold for the help line, I tried entering my *Optional* Middle Initial. Success.
If an input leads to an inaccurate or incorrect result, it is NOT optional.
------------------------------
Date: Sun, 20 Jun 2021 19:37:14 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Facial Recognition Failures Are Locking People Out of Unemployment
Systems (Vice)
ID.me's CEO says unemployment fraud is costing taxpayers $400 billion, but
his own company is denying claims because of problems with its tech, users
say.
https://www.vice.com/en/article/5dbywn/facial-recognition-failures-are-locking-people-out-of-unemployment-systems
------------------------------
Date: Sat, 19 Jun 2021 13:11:32 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Doggie device prompts scare that closed CIA front gate,
spokeswoman says (WashPost)
Doggie device prompts scare that closed CIA front gate, spokeswoman says
A remote control for a dog training collar was removed by law enforcement.
The front gate of the CIA headquarters in McLean was briefly closed Friday afternoon as authorities investigated a small electronic device that was
left outside the security perimeter, a spokeswoman said.
It turned out to be a remote control for a dog training collar, the
spokeswoman said, but that wasn't discovered before law enforcement teams
were called to the scene and news helicopters were circling overhead. The device posed no threat.
Video from a WJLA helicopter at the scene showed what appeared to be a law enforcement officer in a protective outfit using a long yellow pole to
remove the item from the top of a white column on a sidewalk. A law
enforcement robot was also in the area.
https://www.washingtonpost.com/local/public-safety/cia--suspicious-package-probe-mclean/2021/06/18/26d953c2-d054-11eb-8014-2f3926ca24d9_story.html
I understand sensitivity, given:
https://en.wikipedia.org/wiki/CIA_headquarters_shooting
------------------------------
Date: Fri, 18 Jun 2021 17:29:28 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: This tech uses augmented reality to give surgeons 'superpowers'
(cnn.com)
https://edition.cnn.com/2021/06/17/health/augmented-surgery-syncar-technology-spc-hnk/index.html
'"When you have your hands on something delicate, such as the brain, every minute and second matters. Every small movement matters," says Moty Avisar,
CEO and co-founder of Surgical Theater. "If you have to pull your head away from the microscope to look at a display and then go backwards, it disturbs
to continuity of the surgery."'
These systems capture real-time radiological imaging and overlay them with augmented reality content -- patient tissue/anatomy, position/orientation of surgical instruments placed within, implanted electrodes, patient vitals (pulse, oxygen saturation, blood pressure, etc.) -- for rendering on a
heads-up display or goggle mounted display to minimize a surgeon's head movements. The raw imaging + overlay is recorded.
The FDA's TPLC platform reports over 280 manufacturers of approved medical devices that possess and perform "system, image processing, radiological" capabilities, a label assigned to devices with product code LLZ. See
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=5558 (retrieved on 18JUN2021) for device and patient issues reported between 01JAN2016 and 31MAY2021.
The number of deployed AR platforms, their frequency of use, surgery
procedure specialties, etc. are unknown. I count 619 device malfunctions, 35 injuries, and 4 deaths per medical device reports (MDRs) between 01JAN2016
and 31MAY2021 for the LLZ product code classification.
The top-10 Device Problems, in CSV format, are:
Device Problems,MDRs with this Device Problem,Events in those MDRs
Computer Software Problem,180,180
Loss of Data,137,137
Data Problem,108,108
Use of Device Problem,73,73
Patient Data Problem,52,52
Device Operates Differently Than Expected,47,47
Device Issue,37,37
Adverse Event Without Identified Device or Use Problem,27,27
Device Operational Issue,18,18
Application Program Problem: Parameter Calculation Error,17,17
The top-10 Patient Problems, in CSV format, are:
Patient Problems,MDRs with this Patient Problem,Events in those MDRs
No Known Impact Or Consequence To Patient,456,456
No Consequences Or Impact To Patient,69,69
No Clinical Signs,Symptoms or Conditions,55,55
No Patient Involvement,36,36
No Information,20,20
No Code Available,7,7
Misdiagnosis,6,6
Failure of Implant,4,4
Insufficient Information,4,4
Missing Value Reason,4,4
------------------------------
Date: Sat, 12 Jun 2021 20:22:01 -0400
From: David Tarabar <
dtarabar@acm.org>
Subject: Caps and Gowns and credit-card fraud
Thousands of college grads who ordered caps and gowns from Herff Jones discovered that their credit-card info had been leaked.
https://www.bostonglobe.com/2021/06/11/metro/bu-graduates-had-identities-stolen-while-buying-caps-gowns/?p1=BGSearch_Advanced_Results
[Cap-itchulater, allocater? Gown but not ForCotton?. PGN]
------------------------------
Date: Sun, 13 Jun 2021 19:45:25 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Hard to fathom this having been a design goal...
...might as well document how it turned out:
*Note:* If you're logged in to a Microsoft account in your browser while changing your News widget settings but not logged in to the same Microsoft account in Windows 10, the settings on the MSN.com page will not work. In
that case, you'll need to log out of your Microsoft account in your browser, reload the MSN widget settings page, and then make the changes again. Reload the widget to make the settings take effect.
https://www.howtogeek.com/733709/how-to-configure-windows-10s-weather-news-taskbar-widget/
------------------------------
Date: Tue, 15 Jun 2021 08:41:44 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Biomimetic resonant acoustic sensor detecting far-distant voices
accurately to hit the market (Techxplore.com)
https://techxplore.com/news/2021-06-biomimetic-resonant-acoustic-sensor-far-distant.html
"The flexible acoustic sensor has been miniaturized for embedding into smartphones and the first commercial prototype is ready for accurate and far-distant voice detection."
"The error rate of speaker identification was significantly reduced by 56% (with 150 training datasets) and 75% (with 2,800 training datasets) compared
to that of a MEMS condenser device."
Voice biometric sensors can discriminate among multiple concurrent conversations to identify a known speaker.
Deployment of sensitized voice activation gear, in certain environments
(launch control, factory operation, open-outcry trading), may initiate
unwanted events.
------------------------------
Date: Wed, 16 Jun 2021 14:36:33 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Apple Says It's Time to Digitize Your ID, Ready or Not (WiReD)
Digital driver's licenses have had a slow start in the US so far, but iOS 15 Wallet will give the nascent technology a serious push.
If you've ever scanned a digital boarding pass directly from your phone at airport security, you can imagine how doing the same with your driver's
license would make life a little easier. Beginning in iOS 15 this fall,
Apple will enable just that, letting you store your state ID alongside your credit cards, loyalty programs, transit passes, and even door and car keys
in Apple Wallet. By doing so, the company won't just introduce convenience;
it may well be the tipping point that forces more states, the US government, and even Android to make digital driver's licenses the norm.
Apple itself isn't launching a universal digital identification scheme;
plenty of others have embarked on technically and geopolitically fraught efforts to create a new type of private and secure ID for everyone. And
digital driver's licenses aren't entirely novel. States like Oklahoma, Delaware, and Arizona have recently worked with a company called IDEMIA to develop both the infrastructure and a companion app to support digital
driver's licenses. And Colorado and Louisiana introduced digital IDs more
than two years ago.
It's still very much early days, though. Every state that allows for digital driver's licenses still requires you to carry the physical version, and some mobile licenses currently can't be used outside the state that issued
them. That's partly because the federal government is in the process of introducing new design requirements to make driver's licenses harder to
forge or manipulate, part of the REAL ID Act. Apple didn't speak to the
issue directly, but will presumably build in the ability to use Wallet IDs
out of state for flying. [...]
One major question is how Apple users and law enforcement like TSA agents
will actually interact with these digital IDs. If your driver's license is
on your phone, you could potentially have to present your fully unlocked
device to a law enforcement agent in a transaction like a traffic stop or at airport security. That could, in turn, expose you to incidental search of
your data, social media accounts, or anything else the agent flicks
to. Customs and border crossings are already fraught with digital privacy threats, even within the US.
https://www.wired.com/story/apple-wallet-drivers-license-digital-id/
...and will there be charging stations along TSA lines?
------------------------------
Date: Thu, 17 Jun 2021 01:12:24 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: What If Doctors Are Always Watching, but Never There? (WiReD)
Remote technology could save lives by monitoring health from home or outside the hospital. It could also push patients and health care providers further apart.
Author writes:
This question stayed with me for years, as I started seeing patients in my
own clinic. My desire to find better ways of really seeing what was
happening with them was sharpened by the coronavirus pandemic. I wondered:
How can we safely assess and monitor all these patients we now consult
remotely, in their own homes? I set out to discover ways that technology
might help me work more safely in the community, which led to a new piece
of equipment that was initially developed for the Formula One racing
circuit, and which is currently being piloted in intensive care to see if
it picks up early signs of decline in children. [...]
But while remote monitoring technologies will extend the frontiers of
medicine into domestic, private spaces, will they also, paradoxically, push patients and health care workers further apart? With health care systems desperate to save money, this kind of innovation could give managers an
excuse to load health care providers with more patients, or to cut nursing staff, hoping fewer people could do the same work by relying on digital
tools. Duncan insists that her kit must assist, and not replace, human caregivers, but it is hard to see how this can be guaranteed. In a system
where costs are measured and metered, it's unlikely that the time saved by using technology would be allocated to help care workers commune in
invaluable but unprofitable ways, with their patients.
In other words, remote patient monitoring may mean that doctors are always watching, but never there. I may be guilty of nostalgia; one could argue
that remote monitoring is simply a predictable, and welcome, next step in finding safer ways to keep an eye on patients. But while the invention of
the observation chart punted the doctor from the bedside to the foot of the bed, remote patient monitoring kicks us out of sight. Duncan says her team
has tried to prevent this by requiring that patients get regular physical checks. ``I wouldn't set up a system that's fully automated, that didn't
have somebody at least checking in once a day, if not twice a day, on these patients,'' she says.
https://www.wired.com/story/can-remote-tech-save-lives/
------------------------------
Date: Thu, 17 Jun 2021 16:32:29 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: End-to-End Verifiability Key to Future Election Security
Author -- not me -- writes:
With future elections likely to divide along stark partisan lines, and
election security in question, end-to-end verifiability can let voters know that their ballots have been received and not tampered with.
One solution to this problem is to introduce end-to-end (E2E) verifiability
in elections. E2E allows voters to know that not only have election
officials received their ballot, but also that no one has tampered with it along the way. E2E makes this possible by creating a unique tracking number that is cryptographically linked to how they cast their vote, ensuring that
any attempt to alter their ballot could be detected.
Moreover, E2E allows everyone -- news media, political parties, candidates, voters and outside observers -- to fully audit the results of an election, ensuring that all ballots are counted as cast, while still protecting
voters' privacy. E2E enables this feature using homomorphic encryption.
[...]
Perhaps the best part of E2E is that it is a concept, not a single product,
and multiple companies, researchers and election officials have devised E2E voting systems. And some even have substantial backing -- Microsoft, for example, released a free, open source software development kit that
developers can use to integrate E2E into their voting systems.
https://www.govtech.com/opinion/end-to-end-verifiability-key-to-future-election-security.htm
Really? A high-tech concept will work for some voters, not for others...
------------------------------
Date: Thu, 17 Jun 2021 16:49:50 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Government Chatbots Now a Necessity for States, Cities, Counties
Before COVID-19, a few leading governments were dabbling in chatbot
technology, using AI to address common resident queries. In 2021, it's hard
to imagine government doing the people's business without them. [...]
A lot of the jurisdictions surveyed used their chatbots for COVID-19-related purposes. Connecticut COVID chatbot, for example, built using technology
from IBM Watson, logged nearly 40,000 interactions in a four-month period beginning last March. The state estimates that it did the work of four full-time employees during that time. But chatbots often proved useful well beyond COVID-19 needs as well.
Placer County, Calif., for example, has a bot called *Ask Placer ¯capable
of answering more than 375 questions. IT agencies in ¯San Joaquin County, Calif., an ¯Fairfax County, ¯San Joaquin Count Calif., and ¯Fairfax
Count VA., both worked with other departments to figure out what their needs were and what their most frequent questions were so that they could build
those into their chatbots.
Minnesota has a similar approach, leaning on its IBM Watson chatbot to help Sanaddress general inquiries. Iowa's chatbot dates back to late 2018, and capabilities continue to be added as new needs arise. Seventeen agencies now use it, and so does the public. In May 2020, the state's chatbot
tools, combined with its live chat function, saved an estimated 1,700 hours
of staff time that would have been spent addressing those same inquiries
using traditional tools.
https://www.govtech.com/products/government-chatbots-now-a-necessity-for-states-cities-counties.html
Having used chatbots since
https://en.wikipedia.org/wiki/SmarterChild --
born in 2000 as ActiveBuddy -- I'm skeptical about their ability to be very intelligent. It would have been helpful having, alongside government
staffers praising them, customer testimonials to their success. A frequent frustration is a chatbot being unable to answer a question but continuing to provide useless information, vs. fetching a human. Now the annoyance of telephone answering systems not allowing reaching a human will be matched by chatbots unwilling to fetch help.
------------------------------
Date: Fri, 18 Jun 2021 14:41:22 -0700
From: Henry Baker <
hbaker1@pipeline.com>
Subject: Wabi-sabi software systems
I've devoted a significant fraction of my computer science career trying to improve 'memory safety' in computer systems, and I believe that this
particular article below (including its figures) is perhaps the best set of arguments I've ever seen for using a type-safe and memory-safe language for 'systems' programming.
Garbage collection is great for memory safety, but we live in a TWO
dimensional world of both constraints on access to particular areas of
memory and constraints on access to particular moments in time of a
computer's processor(s).
Most garbage collectors solve the memory safety problem at the expense of DDOS'ing the CPU's time schedule, making it difficult -- if not impossible
-- to assure continuous responsiveness.
The Rust programming language seems to provide a decent compromise of memory safety AND predictable time scheduling. Hopefully, additional language/OS mechanisms will be developed to enable even better 'schedule safety' WITH 'memory safety' for future computer systems with thousands of cores.
I'm looking forward to seeing Rust used to improve both Android- and Linux-powered computer systems. Perhaps Rust is 50 years too late to solve
our very-near-term computer security problems, but better late than never!
https://security.googleblog.com/2021/04/rust-in-android-platform.html
(See also
https://security.googleblog.com/2021/04/rust-in-linux-kernel.html)
Rust in the Android platform
April 6, 2021
Posted by Jeff Vander Stoep and Stephen Hines, Android Team
Correctness of code in the Android platform is a top priority for the
security, stability, and quality of each Android release. Memory safety bugs
in C and C++ continue to be the most-difficult-to-address source of incorrectness. We invest a great deal of effort and resources into
detecting, fixing, and mitigating this class of bugs, and these efforts are effective in preventing a large number of bugs from making it into Android releases. Yet in spite of these efforts, memory safety bugs continue to be a top contributor of stability issues, and consistently represent ~70% of Android's high severity security vulnerabilities.
In addition to ongoing and upcoming efforts to improve detection of memory bugs, we are ramping up efforts to prevent them in the first place.
Memory-safe languages are the most cost-effective means for preventing
memory bugs. In addition to memory-safe languages like Kotlin and Java,
we're excited to announce that the Android Open Source Project (AOSP) now supports the Rust programming language for developing the OS itself.
Systems programming
Managed languages like Java and Kotlin are the best option for Android app development. These languages are designed for ease of use, portability, and safety. The Android Runtime (ART) manages memory on behalf of the
developer. The Android OS uses Java extensively, effectively protecting
large portions of the Android platform from memory bugs. Unfortunately, for
the lower layers of the OS, Java and Kotlin are not an option.
Lower levels of the OS require systems programming languages like C, C++,
and Rust. These languages are designed with control and predictability as goals. They provide access to low level system resources and hardware. They
are light on resources and have more predictable performance
characteristics.
For C and C++, the developer is responsible for managing memory
lifetime. Unfortunately, it's easy to make mistakes when doing this,
especially in complex and multithreaded codebases.
Rust provides memory safety guarantees by using a combination of
compile-time checks to enforce object lifetime/ownership and runtime checks
to ensure that memory accesses are valid. This safety is achieved while providing equivalent performance to C and C++.
The limits of sandboxing
C and C++ languages don't provide these same safety guarantees and require robust isolation. All Android processes are sandboxed and we follow the Rule
of 2 to decide if functionality necessitates additional isolation and deprivileging. The Rule of 2 is simple: given three options, developers may only select two of the following three options.
For Android, this means that if code is written in C/C++ and parses untrustworthy input, it should be contained within a tightly constrained and unprivileged sandbox. While adherence to the Rule of 2 has been effective in reducing the severity and reachability of security vulnerabilities, it does come with limitations. Sandboxing is expensive: the new processes it
requires consume additional overhead and introduce latency due to IPC and additional memory usage. Sandboxing doesn't eliminate vulnerabilities from
the code and its efficacy is reduced by high bug density, allowing attackers
to chain multiple vulnerabilities together.
Memory-safe languages like Rust help us overcome these limitations in two
ways:
Lowers the density of bugs within our code, which increases the
effectiveness of our current sandboxing.
Reduces our sandboxing needs, allowing introduction of new features that
are both safer and lighter on resources.
But what about all that existing C++?
Of course, introducing a new programming language does nothing to address
bugs in our existing C/C++ code. Even if we redirected the efforts of every software engineer on the Android team, rewriting tens of millions of lines
of code is simply not feasible.
The above analysis of the age of memory safety bugs in Android (measured
from when they were first introduced) demonstrates why our memory-safe
language efforts are best focused on new development and not on rewriting mature C/C++ code. Most of our memory bugs occur in new or recently modified code, with about 50% being less than a year old.
The comparative rarity of older memory bugs may come as a surprise to some,
but we've found that old code is not where we most urgently need
improvement. Software bugs are found and fixed over time, so we would
expect the number of bugs in code that is being maintained but not actively developed to go down over time. Just as reducing the number and density of
bugs improves the effectiveness of sandboxing, it also improves the effectiveness of bug detection.
Limitations of detection
Bug detection via robust testing, sanitization, and fuzzing is crucial for improving the quality and correctness of all software, including software written in Rust. A key limitation for the most effective memory safety detection techniques is that the erroneous state must actually be triggered
in instrumented code in order to be detected. Even in code bases with excellent test/fuzz coverage, this results in a lot of bugs going
undetected.
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)