On 14 March 2017 at 09:13, Stefan Hajnoczi <stefanha@xxxxxxxxx> wrote: > The minimum requirements for the new language: > 3. Is it safer than C even when writing code to operate on guest RAM > (i.e. it's no good if you must use unsafe primitives to do the > systems programming tasks that QEMU requires)? My impression is that many of our security vulnerabilities are overflows in local arrays in the device emulation (for instance good old VENOM), so I think that even if a candidate safer language only provided bounds-checking on arrays it knew about and not on raw guest RAM it would still be a significant improvement. (Accesses to guest RAM are often via APIs that we could add bounds-checks to "by hand" anyway.) So I wouldn't consider this as a "minimum requirement", only a "nice to have". thanks -- PMM
