frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

Evaluating the Effectiveness of Memory Safety Sanitizers

https://www.computer.org/csdl/proceedings-article/sp/2025/223600a088/21TfesaEHTy
43•signa11•3d ago

Comments

unpaydijk•11h ago
Looks interesting, but unfortunately the research paper is behind a paywall
signa11•8h ago
really sorry about that gaffe ! i had access, and the content was too interesting to not share.

as @osivertsson has kindly pointed out, may you please access that, and share your insights here ? thanks !

osivertsson•10h ago
Download possible without paywall from https://publica.fraunhofer.de/entities/publication/9d7783f8-...
rwmj•5h ago
Unfortunately that gives a 500 error when attempting to download the PDF (maybe the server is overloaded now?)
Ygg2•9h ago
Conclusion is scathing:

> The findings highlight significant variations in the theoretical detection capabilities of these techniques and reveal that, in practice, the implementations of most available sanitizers fall short of their conceptual potential. Furthermore, the evaluation demonstrates the complexities and diversity of memory bugs in C/C++, as well as the challenges associated with detecting them. For instance, our results show that SoftBound+CETS, a conceptually complete sanitizer, misses nearly a quarter of spatial memory bugs in its original implementation, while ASan, likely the most widely used memory sanitizer, cannot detect 50% of use-after-* bugs and any non-linear overflows and under- flows. Ultimately, our evaluation concludes that no sanitizer currently provides complete temporal or spatial memory safety

bgwalter•8h ago
If SoftBound+CETS has the best results, why does Fraunhofer not sponsor the creation of a Debian package?

It is unmaintained:

https://github.com/Fraunhofer-AISEC/softboundcets

lou1306•7h ago
Weird that Infer [1] was not included in the evaluation. It supports C/C++ and its underlying reasoning framework (Separation Logic [2]) is exactly geared towards checking memory safety.

[1] https://fbinfer.com/

[2] https://en.wikipedia.org/wiki/Separation_logic

UncleMeat•2h ago
Sanitizers are runtime tools, not static analysis tools.

Static analyzers are also virtually never sound as sound tools produce an outrageous number of false positives, especially when languages that so easily permit nonlocal mutation.

rwmj•5h ago
I wonder how true the assertion "This performance is partly achieved by sacrificing memory safety" is today. I suspect a sufficiently advanced compiler can remove bounds checks where they are provably unnecessary, and a sufficiently advanced CPU can run the remaining checks in parallel with the array accesses. But it'd be interesting if there's been any research on that.

(A sufficiently advanced programming language can avoid the entire issue by writing loops as map, fold, etc. but we're talking about C here.)

bluGill•5h ago
There are a few things that cannot be done as fast in rust, but those are rare to need in the real world. Most of the things rust cannot do are around sharing memory between threads with locks - Humans have a very hard time getting code that does this to work correctly and usually have race conditions because they analysed the problem wrong.
Someone•3h ago
> I suspect a sufficiently advanced compiler can remove bounds checks where they are provably unnecessary,

That’s true by definition, isn’t it?

> and a sufficiently advanced CPU can run the remaining checks in parallel with the array accesses.

But it still would slow down the program, as the CPU would have to commit resources to that bound checking that it then cannot use for doing other things.

ape4•3h ago
Seems like it should have "C/C++" in the title. Or maybe that's understood?
ben-schaaf•3h ago
Sanitizers aren't just for C/C++. Rust, go, D all have at least asan support.
vlovich123•30m ago
Rust supports all the same sanitizers as c/C++ last I checked (at least UBSAN, TSAN, MSAN and ASAN which are the only ones I’ve ever seen used in practice on c/c++).
pizlonator•47m ago
I wonder if their test cases are available.

Fil-C is specifically engineered to catch everything so it would be interesting to check it against their tests

pizlonator•26m ago
Wait hold up the same authors did MESH: https://arxiv.org/pdf/2108.08683

So why isn't MESH part of the evaluation? And why isn't it mentioned even once in the paper?

Is Gemini 2.5 good at bounding boxes?

https://simedw.com/2025/07/10/gemini-bounding-boxes/
168•simedw•4h ago•36 comments

Measuring the Impact of AI on Experienced Open-Source Developer Productivity

https://metr.org/blog/2025-07-10-early-2025-ai-experienced-os-dev-study/
6•dheerajvs•23m ago•1 comments

Flix – A powerful effect-oriented programming language

https://flix.dev/
61•freilanzer•2h ago•29 comments

Analyzing Database Trends Through 1.8M Hacker News Headlines

https://camelai.com/blog/hn-database-hype/
35•vercantez•2d ago•11 comments

Optimizing a Math Expression Parser in Rust

https://rpallas.xyz/math-parser/
98•serial_dev•7h ago•47 comments

Seven Engineers Suspended After $2.3M Bridge Includes 90-Degree Turn

https://www.vice.com/en/article/7-engineers-suspended-after-2-3-million-bridge-includes-bizarre-90-degree-turn/
61•_sbl_•41m ago•44 comments

Underwater turbine spinning for 6 years off Scotland's coast is a breakthrough

https://apnews.com/article/tidal-energy-turbine-marine-meygen-scotland-ffff3a7082205b33b612a1417e1ec6d6
62•djoldman•2h ago•58 comments

How to prove false statements: Practical attacks on Fiat-Shamir

https://www.quantamagazine.org/computer-scientists-figure-out-how-to-prove-lies-20250709/
165•nsoonhui•7h ago•128 comments

Automatically Packaging a Haskell Library as a Swift Binary XCFramework

https://alt-romes.github.io/posts/2025-07-05-packaging-a-haskell-library-as-a-swift-binary-xcframework.html
22•Bogdanp•2d ago•0 comments

Show HN: Typeform was too expensive so I built my own forms

https://www.ikiform.com/
121•preetsuthar17•7h ago•70 comments

Mini robots detect and fix water pipe leaks without digging

https://www.foxnews.com/tech/mini-robots-detect-fix-water-pipe-leaks-without-digging
61•Bluestein•2d ago•42 comments

Diffsitter – A Tree-sitter based AST difftool to get meaningful semantic diffs

https://github.com/afnanenayet/diffsitter
15•mihau•4h ago•3 comments

Perplexity launches Comet, an AI-powered web browser

https://techcrunch.com/2025/07/09/perplexity-launches-comet-an-ai-powered-web-browser/
12•gniting•1d ago•0 comments

Red Hat Technical Writing Style Guide

https://stylepedia.net/style/
5•jumpocelot•1h ago•0 comments

Thunderbird 140 “Eclipse”

https://blog.thunderbird.net/2025/07/welcome-to-thunderbird-140-eclipse/
249•TangerineDream•2d ago•165 comments

Tree Borrows

https://plf.inf.ethz.ch/research/pldi25-tree-borrows.html
542•zdw•1d ago•138 comments

Author of William the Conqueror's 'Medieval Big Data' Project Revealed

https://www.ox.ac.uk/news/2025-07-02-author-william-conqueror-s-medieval-big-data-project-revealed
39•zeristor•3d ago•5 comments

A Typology of Canadianisms

https://dchp.arts.ubc.ca/how-to-use
229•gnabgib•18h ago•258 comments

MCP-B: A Protocol for AI Browser Automation

https://mcp-b.ai/
298•bustodisgusto•18h ago•155 comments

FOKS: The Federated Open Key Service

https://foks.pub/
9•ubj•4h ago•0 comments

Grok 4 Launch [video]

https://twitter.com/xai/status/1943158495588815072
341•meetpateltech•12h ago•370 comments

Show HN: MCP server for searching and downloading documents from Anna's Archive

https://github.com/iosifache/annas-mcp
220•iosifache•19h ago•69 comments

Show HN: FlopperZiro – A DIY open-source Flipper Zero clone

https://github.com/lraton/FlopperZiro
329•iraton•23h ago•72 comments

Show HN: CXXStateTree – A modern C++ library for hierarchical state machines

https://github.com/ZigRazor/CXXStateTree
3•zigrazor•3d ago•2 comments

Solar power has begun to transform the world’s energy system

https://www.newyorker.com/news/annals-of-a-warming-planet/46-billion-years-on-the-sun-is-having-a-moment
280•dmazin•1d ago•432 comments

The jank programming language

https://jank-lang.org/
385•akkad33•3d ago•104 comments

The death of partying in the USA

https://www.derekthompson.org/p/the-death-of-partying-in-the-usaand
200•tysone•20h ago•361 comments

The Origin of the Research University

https://asteriskmag.com/issues/10/the-origin-of-the-research-university
118•Petiver•3d ago•32 comments

Radiocarbon dating reveals Rapa Nui not as isolated as previously thought

https://phys.org/news/2025-06-radiocarbon-dating-reveals-rapa-nui.html
41•wglb•2d ago•2 comments

Linda Yaccarino is leaving X

https://www.nytimes.com/2025/07/09/technology/linda-yaccarino-x-steps-down.html
524•donohoe•1d ago•950 comments