OpenSSF Memory Safety, 30 Mar 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Memory Safety Sig (March 30, 2023)

Description

Agenda: https://docs.google.com/document/d/1Ehpp1UmAIqMs0ZdKr15sd5MS48OeaGKB9H40htVehs4/edit#heading=h.lzd5uo4s8pnd

A

It's the probe, your return, hello.

A

I'm, looking forward to seeing you again in Vancouver by the way.

B

Thanks same I, just pushed the button and I now have airplane tickets. To get there hey.

A

There you go, what are you? Are you doing anything interesting yet before or afterwards,.

B

um I I don't know yet.

A

Yeah I'm thinking I'm debating staying the weekend and hanging out.

B

um I won't be able to stay the weekend. I was lucky to get allowed to come. um I'll be headed out Saturday morning, but I'll get there. Monday yeah.

A

Have fun I'll be lovely to see you and I have a new jacket to match my uh my my hat that uh that I bought um at Pax so neat yeah.

B

I have several uh new hats that might be unveiled there very nice.

A

Nell is that are those three 3D printers.

C

Behind you or two, there are three that well there's one behind my head: okay,.

A

And there's the.

C

Resin printer, which has a Washing, State, washing and curing station okay, and then yes, there's another 3D printer, so three 3D printers and one washing and curing station love.

A

It what do you normally print? What is like your like, if I'm, printing, something I'm, probably printing x, I.

C

So with the fdm printers, probably stuff for my garden in my shed I, do quite a bit of that also pieces of terrain and then with the resin printer uh little Miniatures for war, gaming and Dungeons and Dragons, and such that.

A

C

A

Very cool I have I. My fiance was telling me that there is um the new TNT movie and the current perspective seems to be I, went in with low expectations, and ah that was better than I expected. It was good. Yeah was.

B

It good yeah I had a sneak preview ticket. It was good, no okay, all right, not gonna change your life, but it was, it was fun. Did.

A

You did you go in with low expectations and you were happily surprised or where did you go on with the high expectations when we're happy.

B

Having survived the first two outings for a d d movie, I thought it was very lots of little Easter eggs, um good script, good character, development. It was enjoyable, cool, awesome again, it's not like Academy Award winning, but it was fun. Yeah, yeah,.

A

Now, and for those of you, you should all go, see everything everywhere all at once. Now that was a trip and a half, but also a spectacular experience.

C

Awesome uh so I just posted a link to the agenda in the uh whatever that is meeting chat, um so I'm not able to make changes without it doing the weird tracking changes thing at the moment, and it says I'm Anonymous, uh so uh we uh working at Microsoft and not having a work Google account, though I'm working on that, uh but yeah I would love if everyone could go in under today's date and add in your name and your affiliation, which I'll go ahead and do right now.

D

Was this in chat and zoom.

C

Correct and I will put it in sorry.

D

I was a little late, so I missed.

C

It, oh no worries and uh Zoom doesn't show the chat history. So there we go.

C

Let's see if we can get permissions on the stock uh situated.

C

Oh girl, I just ruined it. Okay, there we go.

C

And we will get started in just a few minutes here.

C

Yeah until very recently, um so at one point, I was a GitHub employee, so I had access to I still had access to github's Google account, uh but that finally got shut off recently, which I can understand. Why uh so um uh that uh yep, but we've got it.

C

All right and let's go ahead and start off with some introductions, because I know: we've got some newer people here. So let's go ahead and do we'll do a full round of introductions: I'm Nell, shamrel, Harrington I'm, a principal engineer at Microsoft I'm, also uh the vice chair of the board of the rust Foundation uh strong interest in memory safety, uh not just in Rust, though that that has been my primary area of focus for a few years, uh glad to be here uh leading this.

C

uh This sig, or at least as the technical lead and let's go ahead and go to Gabby. Next, oh.

E

Okay, um Gabby I'm an architect for uh visuals to do uh product, particularly C, plus, plus and I'm interested in um systems. Programming I represent Microsoft on the I, also C, plus plus committee, and you know, I've been working with Dennis restaurant to bring more safety to C, plus plus. So my being here.

C

Awesome: uh let's go to Josh next.

F

C

G

F

With the Internet Security research group in Pro Simon um do a lot of work on memory safety for critical software on the internet, nice to be here.

C

Glad to have you uh let's go to Jonathan next.

A

Find the unmute button hi, my name is Jonathan likes. You I am an open source security, software, security researcher and software engineer.

A

um uh So yeah software engineer turned security researcher currently working for the open source security Foundation under project Alpha Omega, um mostly Java developer, so already memory safe, but you know devil in in other places too. So yeah.

C

Cool uh Chrome.

B

Hey everybody I'm krobe my day, job is I work at Intel, part of our product insurance and security group, but my fun job is I, get to work with the open, ssf I help lead and facilitate a couple working groups and sigs, and until Monday I am a current member of the attack, which is technical, advisory committee and Monday. We'll see what happens next. Okay,.

C

Is that a Cthulhu and a swan behind you.

B

C

Nice selection of water creatures, uh all right, uh let's go to Walter.

D

Yeah, hey everyone, I'm Walter, Pierce I'm. The security engineer from the rust foundation so obviously have some interest in memory. Safety, as it pertains to rust and I've also got a background in all kinds of security in the past 15 years. So uh memory, safety and braking memory, safety is kind of in my bag.

C

Awesome sauce: uh let's go to Christine.

G

Hey Christine, Abernathy and um I am at F5, where I lead the open source program office and just uh um attend a lot of different open ssf groups, and this is one of the more interesting ones. I'm just jumping in to learn more.

C

Glad to have you uh let's go to Jay.

H

I am Jay, um oh God this. This will be one of about a 100.

H

means, I I, attend and uh participate in, and and could and and we'll be contributing to uh very excited about this one, because I get to learn, I get to learn, stuff um and I'm always excited about that um and then uh yeah yeah happy to be here.

C

Awesome uh and then Randall.

I

I was kind of hoping you'd forget about me. Oh.

J

um I'm Randall I work at LF uh and I'm. Also the executive manager of SKF and Chief Architect of SKF I'm also a developer around the community of a lot of things and a packager and yeah.

C

Awesome cool well very, very glad to have all of you here and greetings to our audience, who might be watching the recording of this, so uh I will put a link to the agenda in the chat one more time there. We are so first item on the agenda. Is we are now part of the developer best practices Sig? Can we consider it official probe awesome?

C

So thank you so much for uh taking us under your wing, your Swan Wing uh behind you, and we really appreciate that.

B

Yep glad to have this here, it's an important piece of work and definitely meets with our kind of strategic goals for the foundation, so really happy to start collaborating.

C

Awesome and then, as part of that, we have a shiny, new, git, repo or GitHub repo that I just put in the chat and one of my items. Agenda items for this meeting was to plan out a little bit uh how we want to fill this out. uh Thankfully, thanks to Jay, we actually have our motivation, our objective and our scope already, which should be uh pretty easy to fill in, but there's some other work uh you know putting putting in some prior work.

C

uh I know: do we get a a mailing list probe? We.

B

Haven't I haven't had the chance to send it over okay.

C

B

A mailing list, you got the slack Channel, we have this meeting, we have the repo and anything else we need like. If we want a kanban board or discussions set up, we have all that all those tools available, cool.

C

Awesome and I'm sure we'll be filling out, chat, Charter and other things so I think the best approach to this might be. um Can I have a couple of volunteers to maybe work with me asynchronously uh throughout the next couple of weeks, and we can get this uh filled out.

D

Yeah I can help with that. Okay.

C

Walter all right, let me just uh put that in the notes.

C

Any other volunteers.

F

Sorry for what.

C

Oh uh for filling out our uh shiny new GitHub repo.

E

C

You can uh communicate over Slack uh throughout the week that is potential spam I'm, not answering that call uh and uh awesome all right. So next on the agenda, one of my ideas for our first project as a Sig now that we're official, um if this is something the group will be interested in- is rewriting the memory safety, uh language stream in the open source security, mobilization plan.

C

And the reason for the rewrite is uh me, and a couple of others were involved in some of the very early drafts of this, but this was written very, very quickly over I think less than two weeks at least the original language was, and we have a lot more perspectives and a lot more context now and I think it would be good to uh rewrite it.

B

I think that's a great idea. We had similar Thoughts with the cert and the education Sig I know. Josh is doing the s-bomb Sig a little differently, but uh yeah I I think there was a great start and it needs we'd have a year or more of learning that we can definitely refine and make it better.

C

C

uh Anyone else have thoughts on whether this is something we should be spending time on.

D

Mr hardy, yes,.

G

C

So one possibility for getting started. Is uh we or someone from openssf uh or gives me access to create a Google doc with the current language in it, and we can start commenting and marking up um that's one approach that we could take. We could also take it section by section but I think maybe doing a general. You know putting it in a Google doc. Doing a general comments. Overview part might be a good place to start.

C

uh Go ahead, trope.

B

So a lot of the working groups. uh Typically, what they'll do when you have an item of kind of high collaboration where you're going to be doing a lot of edits and kind of simultaneous things? Is the Google Doc approach? You copy things into a gdoc and then once things are generally stable, ish or you're happy enough, then you move it into GitHub and that way you can manage all changes through PRS and issues afterwards.

B

So that's a good, very valid approach and I can I.

E

Can either make a.

B

Dock for you or um poke the Ops folks to get us a back.

C

Cool that would be awesome.

C

B

Know that's what like with the Sig and the education plan. That's what we did is we copied things. We chopped it up into three sections that when we split up into little groups to focus on those sections and then iterated very quickly and then got it into git and then reviewed it more as a big, a larger group from that point forward gotcha, but you're free we're free to do. However, this group is interested in doing this, just how others have done it.

C

Makes sense I do think it might make sense to do it. You know start with the entire stream first. uh I definitely need to reread it with a fine tooth comb and I know. Many of us probably need to re re. That did you print it out.

C

That's awesome, uh I, but that that might be a good place to start get us all on the same page with it again and something I know many of you in this room. I've worked with before I know. uh We all know that there were constraints that this was written under and even when, when we have stuff in it that we're made critical of or we want to change, we always you know, keep that.

C

Keep that in mind uh that it's not a reflection of the original writers necessarily but uh we'll focus more on the content.

C

All right, so that is something I can work with probe and others to get it into a dock. Maybe after this meeting and then I can distribute that through the slack uh and uh we can get started on that before the next meeting.

C

And I do feel like I've been talking a lot. So are there any other uh thoughts on this or uh on this approach or on other things, we could do as a group.

C

Go ahead, Randall.

I

uh I, just plus one krome's idea, he I've been part of his rewrites in the past and I think we get through it effectively.

G

C

All right: well, that is what I had on the agenda. Is there anything else anyone would like to bring up or discuss? We've got a still got 45 minutes and, of course, I have no issue with. If a meeting has is ready to end ending early, but is there anything else people would like to discuss or would like to bring up.

B

Go ahead, group I I would suggest, just as you stated that there were certain constraints in a timeline when the original doc was written. So don't as we move forward, don't let that limit your vision. If there's new ideas or new things, uh new techniques, we've learned tools, uh keep that in mind and then, ultimately, this group should decide kind of what our next steps are like. What is our goal?

B

Do we just want to write a position paper and have a really nice blog and a you know, Tech paper, that kind of illustrates how to do things. Are we looking at educating developers and are we going to give tools on how to convert from C to rest, for example, and then um you know think about at the end of the day, is there some Financial ask and uh uh having lived through that for the last year, I'll be glad to assist in kind of shepherding us up to the governing board?

B

Once we have a a uh the groups decided to kind of request for funding uh resources, tools, money and then I can help get us in front of the governing board. To uh present that request,.

C

That would be awesome.

B

It's been a heck of a journey.

C

Yeah well, one of the things that um was discussed at the very beginning of this group was, you know putting together after we rewrite the language, putting together a list of projects and initiatives. uh This could include some of the work that prostamo is doing. This should include things in the C plus world like profiles, uh this could you know various memory, safety initiatives that we recommend for funding from the open, ssf or from open openssf members.

B

I'm going to post a link in the chat, and let me know if people can get in to that- that could be potentially your starting document.

B

C

C

And sweet and Google Docs actually signed me in with my work account now. That's great uh cool.

C

So yeah I will uh copy and paste the the mobilization plan language into it. I won't make probe type it from your print out. There.

C

uh And we can get started on it.

B

Yeah I think there's a lot of opportunity we want to think about. You know: are there other foundations like the rust Foundation we want to partner with officially? Are there any other people kind of working in this space? We might want to go out and tap to try to deputize them to be participants. So just that you know again, don't let the words that exist there today limit your vision. You know, if you can make this it's your dream. You can make it as big as you want of.

C

C

Anything else anyone would like to bring up or discuss at the meeting today.

C

All right, well I, imagine uh starting with the next meeting, which will be in two weeks, we'll have a lot chewier discussion uh once we've all gone through the and commented up, the uh stream four uh memory safe, safe stream uh and I'm very much looking forward to working with every one of you.

C

All right, I think. Oh sorry, Josh go ahead. I.

F

Said. Thank you. Oh.

C

You're very welcome and thank all thank all of you and uh we will be talking more shortly and keep an eye on the slack Channel all right take care. Everyone.