←back to thread

The world could run on older hardware if software optimization was a priority

(twitter.com)
838 points turrini | 1 comments | 13 May 25 10:31 UTC | HN request time: 0.615s | source
Show context
titzer ◴[13 May 25 12:05 UTC] No.43971962[source]
I like to point out that since ~1980, computing power has increased about 1000X.

If dynamic array bounds checking cost 5% (narrator: it is far less than that), and we turned it on everywhere, we could have computers that are just a mere 950X faster.

If you went back in time to 1980 and offered the following choice:

I'll give you a computer that runs 950X faster and doesn't have a huge class of memory safety vulnerabilities, and you can debug your programs orders of magnitude more easily, or you can have a computer that runs 1000X faster and software will be just as buggy, or worse, and debugging will be even more of a nightmare.

People would have their minds blown at 950X. You wouldn't even have to offer 1000X. But guess what we chose...

Personally I think the 1000Xers kinda ruined things for the rest of us.

replies(20): >>43971976 #>>43971990 #>>43972050 #>>43972107 #>>43972135 #>>43972158 #>>43972246 #>>43972469 #>>43972619 #>>43972675 #>>43972888 #>>43972915 #>>43973104 #>>43973584 #>>43973716 #>>43974422 #>>43976383 #>>43977351 #>>43978286 #>>43978303 #
ngneer ◴[13 May 25 12:38 UTC] No.43972246[source]
I agree with the sentiment and analysis that most humans prefer short term gains over long term ones. One correction to your example, though. Dynamic bounds checking does not solve security. And we do not know of a way to solve security. So, the gains are not as crisp as you are making them seem.
replies(3): >>43972540 #>>43972554 #>>43989097 #
bluGill ◴[13 May 25 13:10 UTC] No.43972554[source]
Bounds checking solves one tiny subset of security. There are hundreds of other subsets that we know how to solve. However these days the majority of the bad attacks are social and no technology is likely to solve them - as more than 10,000 years of history of the same attack has shown. Technology makes the attacks worse because they now scale, but social attacks have been happening for longer than recorded history (well there is every reason to believe that - there is unlikely to evidence going back that far).
replies(1): >>43975205 #
titzer ◴[13 May 25 17:08 UTC] No.43975205[source]
> However these days the majority of the bad attacks are social

You're going to have to cite a source for that.

Bounds checking is one mechanism that addresses memory safety vulnerabilities. According to MSFT and CISA[1], nearly 70% of CVEs are due to memory safety problems.

You're saying that we shouldn't solve one (very large) part of the (very large) problem because there are other parts of the problem that the solution wouldn't address?

[1] https://www.cisa.gov/news-events/news/urgent-need-memory-saf...

replies(2): >>43982703 #>>43983400 #
1. bluGill ◴[14 May 25 11:54 UTC] No.43983400[source]
CVEs are never written for social attacks. Which is fair what they are trying to do. However attacking the right humans and not software is easier.