Date: Sat, 30 Aug 2025 16:09:23 -0700
> On Aug 30, 2025, at 9:29 AM, Thiago Macieira via Std-Proposals <std-proposals_at_[hidden]> wrote:
>
> On Friday, 29 August 2025 18:23:20 Pacific Daylight Time Oliver Hunt via Std-
> Proposals wrote:
>> Yes - and if you used a std::array, or a std::span, or a std::vector, or
>> many other types - with the hardened runtime option, sigh - it would
>> correctly fail without a security vulnerability.
>
> I'd argue that a denial-of-service by causing the hardened checkers to trip
> and halt the application is also a security vulnerability.
Yes, bugs in software are bad.
There is no case where guaranteed termination is worse than non-guaranteed termination.
Very simply: if you have a bug that with the hardened runtime causes a DoS on your service,
and a DoS is a security vulnerability, then an attacker can cause a DoS if they want to, without
the hardened runtime because the whole purpose of the hardened runtime is making the
failure happen immediately, rather than allowing an attacker to control the point of the failure.
I am getting very tired of these arguments about “immediate termination is a security/safety
vulnerability” because it completely fails to understand that if you have a bug that results in
termination, the bug can be made to cause termination anyway.
The best case scenario for a bug in your code, in which the hardened runtime causes an
immediate failure, is that an attacker can also create a DoS using the same bug. i.e the best
case scenario for not using the hardened runtime is security _parity_.
Of course that is the absolutely best case: in reality without the hardened runtime, the bug in
your code can be used to do far far more that a DoS: it can be used by the attacker to read
or write data into your process, which can be leveraged to exfiltrate data, or to take complete
control of the system - and then as we have seen repeatedly, extending that control into
access to other systems that are connected.
There is literally no case where an immediate termination is worse than not terminating.
The reverse is not true.
—Oliver
>
> On Friday, 29 August 2025 18:23:20 Pacific Daylight Time Oliver Hunt via Std-
> Proposals wrote:
>> Yes - and if you used a std::array, or a std::span, or a std::vector, or
>> many other types - with the hardened runtime option, sigh - it would
>> correctly fail without a security vulnerability.
>
> I'd argue that a denial-of-service by causing the hardened checkers to trip
> and halt the application is also a security vulnerability.
Yes, bugs in software are bad.
There is no case where guaranteed termination is worse than non-guaranteed termination.
Very simply: if you have a bug that with the hardened runtime causes a DoS on your service,
and a DoS is a security vulnerability, then an attacker can cause a DoS if they want to, without
the hardened runtime because the whole purpose of the hardened runtime is making the
failure happen immediately, rather than allowing an attacker to control the point of the failure.
I am getting very tired of these arguments about “immediate termination is a security/safety
vulnerability” because it completely fails to understand that if you have a bug that results in
termination, the bug can be made to cause termination anyway.
The best case scenario for a bug in your code, in which the hardened runtime causes an
immediate failure, is that an attacker can also create a DoS using the same bug. i.e the best
case scenario for not using the hardened runtime is security _parity_.
Of course that is the absolutely best case: in reality without the hardened runtime, the bug in
your code can be used to do far far more that a DoS: it can be used by the attacker to read
or write data into your process, which can be leveraged to exfiltrate data, or to take complete
control of the system - and then as we have seen repeatedly, extending that control into
access to other systems that are connected.
There is literally no case where an immediate termination is worse than not terminating.
The reverse is not true.
—Oliver
Received on 2025-08-30 23:09:36