| ▲ | maxloh 14 hours ago |
| > The new runtime/secret package lets you run a function in secret mode. After the function finishes, it immediately erases (zeroes out) the registers and stack it used. I don't understand. Why do you need it in a garbage-collected language? My impression was that you are not able to access any register in these language. It is handled by the compiler instead. |
|
| ▲ | jerf 14 hours ago | parent | next [-] |
| This is about minimizing attack surface. Not only could secrets be leaked by hacking the OS process somehow to perform arbitrary reads on the memory space and send keys somewhere, they could also be leaked with root access to the machine running the process, root access to the virtualization layer, via other things like rowhammering potentially from an untrusted process in an entirely different virtual context running on the same machine, and at the really high end, attacks where the government agents siezing your machine physically freeze your RAM (that is, reduce the physical temperature of your RAM to very low temperatures) when they confiscate your machine and read it out later. (I don't know if that is still possible with modern RAM, but even if it isn't I wouldn't care to bet much on the proposition that they don't have some other way to read RAM contents out if they really, really want to.) This isn't even intended as a complete list of the possibilities, just more than enough to justify the idea that in very high security environments there's a variety of threats that come from leaving things in RAM longer than you absolutely need to. You can't avoid having things in RAM to operate on them but you can ensure they are as transient as possible to minimize the attack window. If you are concerned about secrets being zeroed out in almost any language, you need some sort of support for it. Non-GC'd languages are prone to optimize away zeroing out of memory before deallocation, because under normal circumstances a write to a value just before deallocation that is never effectfully read can be dropped without visible consequence to the rest of the program. And as compilers get smarter it can be harder to fool them with code, like, simply reading afterwards with no further visible effect might have been enough to fool 20th century compilers but nowadays I wouldn't count on my compiler being that stupid. There are also plenty of languages where you may want to use values that are immutable within the context of the language, so there isn't even a way to express "let's zero out this RAM". Basically, if you don't build this in as a language feature, you have a whole lot of pressures constantly pushing you in the other direction, because why wouldn't you want to avoid the cost of zeroing memory if you can? All kinds of reasons to try to avoid that. |
|
| ▲ | er4hn 14 hours ago | parent | prev | next [-] |
| In theory it prevents failures of the allocator that would allow reading uninitialized memory, which isn't really a thing in Go. In practice it provides a straightforward path to complying with government crypto certification requirements like FIPS 140 that were written with languages in mind where this is an issue. |
|
| ▲ | kbolino 13 hours ago | parent | prev | next [-] |
| Go has both assembly language and unsafe pointer operations available. While any uses of these more advanced techniques should be vetted before going to production, they are obviously able to break out of any sandboxing that you might otherwise think a garbage collector provides. And any language which can call C code that is resident in the same virtual memory space can have its own restrictions bypassed by said C code. This even applies to more restrictive runtimes like the JVM or Python. |
|
| ▲ | vlovich123 12 hours ago | parent | prev | next [-] |
| Go is not a memory safe language. Even in memory safe languages, memory safety vulnerabilities can exist. Such vulnerabilities can be used to hijack your process into running untrusted code. Or as others point out sibling processes could attack yours. This underlying principle is defense in depth - you make add another layer of protection that has to be bypassed to achieve an exploit. All the chains combined raise the expense of hacking a system. |
| |
| ▲ | tptacek 11 hours ago | parent [-] | | Respectfully, this has become a message board canard. Go is absolutely a memory safe language. The problem is that "memory safe", in its most common usage, is a term of art, meaning "resilient against memory corruption exploits stemming from bounds checking, pointer provenance, uninitialized variables, type confusion and memory lifecycle issues". To say that Go isn't memory safe under that definition is a "big if true" claim, as it implies that many other mainstream languages commonly regarded as memory safe aren't. Since "safety" is an encompassing term, it's easy to find more rigorous definitions of the term that Go would flunk; for instance, it relies on explicit synchronization for shared memory variables. People aren't wrong for calling out that other languages have stronger correctness stories, especially regarding concurrency. But they are wrong for extending those claims to "Go isn't memory safe". https://www.memorysafety.org/docs/memory-safety/ | | |
| ▲ | vlovich123 11 hours ago | parent [-] | | I’m not aware of any definition of memory safety that allows for segfaults- by definition those are an indication of not being memory safe. It is true that go is only memory unsafe in a specific scenario, but such things aren’t possible in true memory safe languages like c# or Java. That it only occurs in multithreaded scenarios matters little especially since concurrency is a huge selling point of the language and baked in. Java can have data races, but those data races cannot be directly exploited into memory safety issues like you can with Go. I’m tired of Go fans treating memory safety as some continuum just because there are many specific classes of how memory safety can be violated and Go protecting against most is somehow the same as protecting against all (which is what being a memory safe language means whether you like it or not). I’m not aware of any other major language claiming memory safety that is susceptible to segfaults. https://www.ralfj.de/blog/2025/07/24/memory-safety.html | | |
| ▲ | tptacek 10 hours ago | parent | next [-] | | Another canard, unfortunately. "Segfault" is simply Go's reporting convention for things like nil pointer hits. "Segfaults" are not, in fact, part of the definition for memory safety or a threshold condition for it. All due respect to Ralf's Ramblings, but I'm going to rest my case with the Prossimo page on memorysafety.org that I just posted. This isn't a real debate. | | |
| ▲ | vlovich123 9 hours ago | parent [-] | | > Segfault" is simply Go's reporting convention for things like nil pointer hits. Blatantly false. From Ralf’s post: > panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x2a pc=0x468863] The panic address is 42, a value being mutated, not a nil pointer. You could easily imagine this address pointing to a legal but unintended memory address resulting in a read or write of unintended memory. | | |
| ▲ | tptacek 9 hours ago | parent [-] | | No, you can't, and the reason you know you can't is that it's never happened. That looks like a struct offset dereference from a nil pointer, for what it's worth. https://go.dev/play/p/0fUzmP0cLEa | | |
| ▲ | vlovich123 7 hours ago | parent [-] | | You’d be wrong. I recommend you reread the blog post and grok what’s happening in the example. > When that happens, we will run the Ptr version of get, which will dereference the Int’s val field as a pointer – and hence the program accesses address 42, and crashes. If you don’t see an exploit gadget there based on a violation of memory safety I don’t know how to have a productive conversation. | | |
|
|
| |
| ▲ | afdbcreid 9 hours ago | parent | prev [-] | | Rust is susceptible to segfaults when overflowing the stack. Is Rust not memory safe then? Of course, Go allows more than that, with data races it's possible to reach use after free or other kinds of memory unsafety, but just segfaults don't mark a language memory unsafe. | | |
| ▲ | cyberax 9 hours ago | parent [-] | | Go is most emphatically NOT memory-safe. It's trivially easy to corrupt memory in Go when using gorotuines. You don't even have to try hard. This stems from the fact that Go uses fat pointers for interfaces, so they can't be atomically assigned. Built-in maps and slices are also not corruption-safe. In contrast, Java does provide this guarantee. You can mutate structures across threads, and you will NOT get data corruption. It can result in null pointer exceptions, infinite loops, but not in corruption. | | |
| ▲ | tptacek 9 hours ago | parent [-] | | This is just wrong. Not that you can't blow up from a data race; you certainly can. Simply that any of these properties admit to exploitable vulnerabilities, which is the point of the term as it is used today. When you expand the definition the way you are here, you impair the utility of the term. Serious systems built in memory-unsafe languages yield continual streams of exploitable vulnerabilities; that remains true even when those systems are maintained by the best-resourced security teams in the world. Functionally no Go projects have this property. The empirics are hard to get around. | | |
| ▲ | cyberax 6 hours ago | parent [-] | | There were CVEs caused by concurrent map access. Definitely denials of service, and I'm pretty sure it can be used for exploitation. > Serious systems built in memory-unsafe languages yield continual streams of exploitable vulnerabilities I'm not saying that Go is as unsafe as C. But it definitely is NOT completely safe. I've seen memory corruptions from improper data sync in my own code. | | |
|
|
|
|
|
|
|
| ▲ | hamburglar 11 hours ago | parent | prev | next [-] |
| The Go runtime may not be the only thing reading your process’ memory. |
|
| ▲ | kittywantsbacon 14 hours ago | parent | prev | next [-] |
| This would potentially protect against other process reading memory via some system compromise - they would be able to get new secrets but not old ones. |
|
| ▲ | gethly 10 hours ago | parent | prev [-] |
| Yeah, I can hardly disagree with that sentiment myself. |
