On 14/03/2017 11:39, Peter Maydell wrote: >> 3. Is it safer than C even when writing code to operate on guest RAM >> (i.e. it's no good if you must use unsafe primitives to do the >> systems programming tasks that QEMU requires)? > My impression is that many of our security vulnerabilities are > overflows in local arrays in the device emulation (for instance > good old VENOM), so I think that even if a candidate safer > language only provided bounds-checking on arrays it knew about > and not on raw guest RAM it would still be a significant > improvement. (Accesses to guest RAM are often via APIs that > we could add bounds-checks to "by hand" anyway.) Right, this was one of the reasons behind the introduction of MemoryRegionCache: get both speed (like address_space_map) and bounds checking (like address_space_rw). It looks like it should be easy to wrap it in any language, be it Rust or a scripting language like Lua. Paolo
