Finally, more importantly, and back to the original motivation, the rewrite appears to demonstrate exactly what it was intended to do, which is to allow Binder to be developed and evolved, with much higher confidence, to meet Android's needs. 8/8

But it's not just impressive when compared to the 2019 refactor (not even a rewrite) in C, it's impressive when compared to C-Binder's steady state of 3-4 vulns per year. A complete rewrite, despite the risks, seems less risky than the existing mature C driver. 7/

The last refactor of the C driver in 2019 resulted in a wave of 9 vulnerabilities. A single vuln (that never actually shipped to any devices) for a complete rewrite into Rust is pretty impressive by comparison. 6/

Binder needs a rethink to get out of this state. The good news is that Rust does make evolving Binder easier and safer. And Rust-Binder has even already prevented multiple vulnerabilities in C-Binder e.g by validating its locking https://t.co/7JYlKSp9be 5/

Binder is petrifying through a combination of complexity, technical debt, and security risk. Seemingly minor changes are risky. You can see this in the CVE count over the past few years. With little variance, Binder has about 3-4 high severity vulns per year, every year. 4/

So what gives? The motivation goes on to explain that Android needs more than just working code from Binder, it needs code that can continue to evolve to meet the evolving needs of the Android project. And that's where C-Binder is not holding up well. 3/

The motivation begins by agreeing that rewrites aren't great. The Android team has also provided data that "Code matures and gets safer with time, exponentially, making the returns on investments like rewrites diminish over time as code gets older." 2/ https://t.co/cBc3gMLzO6

Let's discuss this hot take! > "re-writing working code is a religious obligation" Fortunately, we don't have to guess at the author's motivation (religious or otherwise), it's provided it in the cover letter: 1/ https://t.co/a2FaLw3ic6

NEW EPISODE! You may not be rewriting the world in Rust, but if you walk like the Android team, you'll drive down your memory-unsafety vulnerabilities more than 2X below the industry average over time! 🎉 https://t.co/KyH1NtVbC3 https://t.co/adWaPJBvKH

Agreed. We’re already prioritizing differently based on this data. It was a fun conversation, and we believe that it applies to a lot more than just memory safety.

Thomas also said “And that observation about the half life of vulnerabilities, if that’s true, says something pretty profound about what the work looks like to shift to a memory safe future.”

I agree with this. It feels like we discovered a game-changer not just in memory safety, but in security more generally - that doing something very practical results in major security improvements for non-obvious reasons. Focusing on new code is disproportionately effective.

Something that Thomas said in the podcast really stood out to me. He said “the blog post undersells it. …. This is a lot more interesting than it looks like on the tin.”

I joined @durumcrustulum and @thomas on the “Security Cryptography Whatever” podcast to talk about our latest blogpost: https://t.co/Kj0YYqBr8q https://t.co/cBc3gMLzO6

I published an introductory post on how to use return-oriented programming (ROP) to bypass security mechanisms, like ASLR, W^X, and stack canaries 👾 https://t.co/AszjOeimKp #OffensiveSecurity #InfoSec #ROP

🦀 Eliminating Memory Safety Vulnerabilities at the Source Rust caused memory safety vulnerabilities % in Android to drop from 76% to 24% over 6 years. 💡Key insight: new code is disproportionately responsible for bugs By @jeffvanderstoep, @ayper https://t.co/eIpfwDXm7U

The drop in Android's memory safety vulnerabilities is astonishing. It's counterintuitive, but prioritizing memory-safe languages in new code quickly reduces memory-safety risks. Once we turn off the tap of new vulnerabilities, they start decreasing exponentially.

Google's implementing #SafeCoding to build more secure software, and the results are impressive. @Android saw a massive drop in memory safety bugs by switching to languages like #Rust. Read more in our latest blog:

I’m super excited about this blogpost. The approach is so counterintuitive, and yet the results are so much better than anything else that we’ve tried for memory safety. We finally understand why. https://t.co/cBc3gMLzO6

Popping in to say that a presidential candidate advocating to stop all childhood vaccines should be national news and disqualifying. The media failure literally takes my breath away. Childhood vaccines isn't a both sides issue you fucking idiots, it's like a public health thing.