J E L L Y E N T

Writing effective utility is laborious. In most conditions, utility breaks in intelligent
programs. On the different hand, when utility runs every thing from inside of most assistants fancy
Alexa and Google Space to banking to elections, some bugs would likely be fine extra
severe.

This outdated quarter, Armin Namavari and I attempted instructing a class about
write utility that sucks appropriate a little a lot less. We centered on no longer abnormal considerations
in personal computer programs introduced about by certain sorts of foolish (alternatively very severe)
mistakes, such as elements of reminiscence security and thread security. The core theme of
the class used to be, What desire to no longer abnormal considerations with programs programming legit now?
How are folks responding to those elements? How perform these measures plunge quick?

We wanted college students to be attentive to considerations that method plagued the industry for
a really very prolonged time, and we desired to educate college students exhaust tools and mental fashions
that contributors method developed to warfare these elements. On the different hand, these tools are
sinister, and we additionally wanted college students to abilities and sustain the
boundaries of such tools to be better attentive to what to gape out for when
setting up programs.

In explicit, we centered on instructing the Rust programming language as a come to
get better habits and warfare mistakes endemic to C- and C++-mainly basically basically based mostly entirely utility.
In some programs, Rust requires staunch practices, and it has an academic
compiler with substantial error messages that abet college students be taught. Additionally, we
looked at how classes from Rust would likely be utilized to jot down better code in C++, and
we taught college students about tools that will perchance likely also additionally be oldschool to detect no longer abnormal mistakes
before they alternate into a area.

In disagreement with a unparalleled security class, we aimed to manufacture a sturdy utility
engineering ingredient into the course, giving code-heavy assignments and attempting to
toughen college students’ processes rather than merely giving consciousness about no longer abnormal
considerations. Our purpose with this class used to be to bid college students to be better utility
developers, with out reference to what programming language they defend conscious the utilization of.

I indubitably feel the class went reasonably smartly, and student experiences had been extraordinarily
certain. Even before the quarter ended, college students told us that the class used to be
extraordinarily substantial for implementing and debugging assignments in diversified classes.
We hope to educate the class as soon as more this coming plunge, and are having a seek for enter on
the method in which it’d be improved.

This weblog keep up targets to be a summary of what we did, why we did it, and what we
are centered on changing for the future. It’s prolonged, alternatively written so you likely can
skip around to no topic is consideration-grabbing to you. Appropriate right here’s a top level idea:

Necessary thanks stride to Armin Namavari for being a honest appropriate-attempting co-teacher, Sergio
Benitez for giving an honest appropriate-attempting customer lecture, Will Crichton for providing
feedback and steering in designing the class, Jerry Cain for giving us the
substitute to educate and giving encouragement for the length of, and Rakesh Chatrath,
Jeff Tucker, Vinesh Kannan, John Deng, and Shiranka Miskin for reviewing drafts
of this keep up.

## What is security, and why will method to we care?

Safety is an unfortunately obscure term missing a giant definition, alternatively for our
capabilities, we’ll tell security is set warding off contaminated mistakes. I fancy
security as being obsessed on the subset of doubtlessly severe bugs: if a
button on a internet internet internet page renders as crimson as a replace of blue, that’s a malicious program lets
no longer care fine about, alternatively if bank myth utility permits users to withdraw the
the same \$1000 a pair of cases, or if self reliant automobile utility can fail under
certain conditions, that’s a extra touching on area.

Safety is basically linked in programs programming because programs
programming is laborious. Packages programming in most conditions entails pushing the boundaries of
what hardware can perform, and in most conditions entails reasoning touching on to the exclaim of a pair of
threads infrequently even disbursed across thousands of machines. Additionally,
for efficiency and historical causes, the vast majority of programs utility is
written in C or C++, which would likely per likelihood effectively be notoriously refined to construct exhaust of precisely.
Reasoning about pointers and reminiscence is laborious, and C and C++ perform little to abet.
C/C++’s historical perform programs and poorly outlined
specifications mean they’re going to fortunately engage clearly broken code with out a
commended
interpretation
.
Even worse, there are limitless minefields where the languages’ unhappy designs
are appropriate begging for mistakes to happen. Easy capabilities fancy strcpy, which
copies a string from one predicament in reminiscence to but every different, are extraordinarily straightforward to
misuse and method been the motive on the enhance of limitless security
vulnerabilities
.
The strncpy characteristic used to be launched to tackle the weaknesses of strcpy,
but strncpy looks to be on the subject of appropriate as
execrable
. Even
printf can lead to security
vulnerabilities

when known as the rotten come.

Additionally, as programs utility gifts the foundation on which diversified utility runs,
it’s in explicit important to score legit. Many accurate-world examples protest
the severe affect of the aforementioned elements. Belief to be one amongst my authorized examples is
offered in Comprehensive Experimental Analyses of Car Assault
Surfaces
. It’s a giant
be taught, alternatively as a summary, the authors purchased a most current automobile and tried to transfer attempting out
as some programs as at probability of remotely hijack the auto with out having bodily
score entry to. They examined vectors such as wi-fi key fobs, Bluetooth, and even
the tire stress monitoring system (which makes exhaust of wi-fi indicators to transmit
records from sensors within the tires). Every vector used to be found out to be
exploitable, reasonably a pair of them trivially so. As an illustration, the Bluetooth utility had
“over 20 calls to strcpy, none of which method been clearly salvage.” The authors finest
looked on the most well-known instance of strcpy, and found out that it copies records to the
stack when dealing with a Bluetooth configuration give a proof for with out checking the
dimension of the string. This results in a trivially exploitable buffer overflow
that permits a paired system to perform arbitrary code within the media system.
For the reason that subsystems in most cars lack isolation, compromising one subsystem
(such as the media participant) can lead to the compromise of your complete automobile. In
2015, researchers demonstrated this, remotely killing a Jeep that used to be riding
on the
freeway
.

This isn’t appropriate a area with the auto industry. Legit
programmers
across
many
industries
constantly
perform
straightforward
alternatively
severe
mistakes.

This looks fancy one thing we are able to be in a neighborhood to perform to be talking about. Would you hand a
chemistry student a bunch of volatile chemicals that constantly explode in
professional labs with out a sturdy dialogue of security? Possibly no longer. But
that’s efficiently what our curriculums are doing. We’re handing college students a
sequence of tools that consultants robotically shoot themselves within the foot with,
and we aren’t having a fine dialogue of precautions we’re in a neighborhood to settle to
defend far from doubtlessly lifestyles-threatening mistakes.

One would likely likely effectively argue that the perils of strcpy are nothing fancy the hazards of a
entirely-stocked chemistry lab; there’s no effort of faculty students dying in entrance of
the computer acceptable right here. (Successfully, we hope.) On the different hand, I argue that we settle care of dangers
on an incredible elevated scale. One line of code can with out considerations method an designate on thousands and thousands (or
billions) of folks, and the impacts of our code would likely be fine elevated than we
perceive, even after we aren’t engaged on utility for cars (which we’ve killed
folks
with
)
or clinical devices (which we’ve additionally killed folks
with
). It
would likely likely effectively appear that the worst-case bugs in a file sharing server would merely prevent
users from sharing files, alternatively one such malicious program led to the essential disruption
of the Nationwide Health Provider within the
UK
.
Non-severe emergencies important to be refused. It may possibly perchance perchance likely appear that the worst-case
bugs in a internet based utility library would merely relax some internet internet sites, alternatively one
such malicious program led to the exfiltration of extraordinarily quiet records on merely about every
American grownup with a credit score
history
.

Precautions and security features perform exist, alternatively folks aren’t the utilization of them. Fragment
of that is additionally since the tooling isn’t staunch substantial or straightforward substantial to construct exhaust of.
Fragment of that is additionally because there hasn’t been substantial time to idea mass adoption.
However I indubitably feel half of this is able to likely likely every so normally per likelihood effectively additionally be thanks to an absence of training and
consciousness surrounding these elements. We are able to bid C and C++ and hope that
college students shall be taught staunch habits and be taught to construct exhaust of static analyzers,
sanitizers, fuzzers, and safer languages on the job, alternatively then method we no longer
failed them as educators? Seeing that utility engineers relief making reasonably
venerable mistakes with severe affect, it looks one thing is rotten and we
will method to be attempting to perform extra.

## Imagining security training

So, we are able to be in a neighborhood to perform to focal level on extra about security. However how will method to we stride about it?

### Would likely per likelihood quiet there be a “security class”?

In planning this class, we couldn’t score any diversified programming security class out
there. Is that because no individual has conception to perform it but, or is it because it is
better to educate security in context alongside extra central fabric?

In explicit because “security” is so wide, it does appear substantial
to quilt supreme practices and substantial tricks/tools whereas introducing abnormal
fabric. On the different hand, there had been two causes we felt it may possibly likely likely likely per likelihood effectively perform sense to educate
a class absolutely centered on security.

First, instructing a separate security class gifts us room to experiment with
instructing abnormal fabric that will perchance likely be refined to combine into existing
classes. In explicit, we had been drawn to instructing the Rust programming
language as a medium to detect the alternate choices of lifetimes and possession.
Brooding touching on to the nightmare doable of C and C++, it’d be a staunch belief to
bid Rust within the core curriculum within the raze, alternatively that is a lot too tall a
alternate to perform provided that Rust is that this style of brand abnormal language and now we method little
abilities instructing it.

2nd, although writing salvage, merely code in most conditions entails warding off limitless
unrelated pitfalls, there perform exist some no longer abnormal issues in security. As an illustration,
Rust’s possession mannequin used to be designed to be sure reminiscence security, alternatively Rust’s
designers found out that it additionally helped promote thread
security
.

### How would this be diversified from a security class?

As security is carefully linked to security, a security class would method essential
overlap with security classes that already exist. Stanford, in explicit, has
CS 155, which is an honest appropriate-attempting security class
accessible to undergraduates that already does a giant job of shielding matters
such as reminiscence security and networked assaults. Why will method to we bid one thing
separate?

Whereas security classes on the total focal level on instructing offensive programs and
defensive utilized sciences within the context of regularly-broken C/C++ utility, we
felt it’d be estimable to educate from a standpoint that is centered on
setting up programs precisely within the most well-known predicament. CS 155 in most conditions walks college students
at some level of the sport of cat and mouse that has conducted out over the righteous thirty
years: how perform attackers hack into issues, and the methodology thru which would likely we discontinuance the loopholes
they exhaust? In disagreement, we had been drawn to exploring whether or no longer there would likely likely be a come
we’re in a neighborhood to alter the programs college students come programs programming so as that they perform
fewer mistakes and perform fewer vulnerabilities within the most well-known predicament. Within the
first CS 155 mission, college students idea for themselves how a buffer overflow or
double free can lead to far-off code execution, alternatively they may possibly possibly likely likely effectively no longer mainly
perform an determining of write code that is freed from buffer overflows
and double frees, and as effectively they exiguous query don’t score any notice with it. Can we
instill better habits, a stronger sense of effort, and better exhaust of tools so
that college students write better code off the bat?

### How does one bid salvage programming?

Instructing salvage programming is refined when there are such plenty of of diversified
pitfalls to gape out for. How can we perform a class that is elevated than a
pointers of mistakes to remain far from?

In our class, we desired to detect security the utilization of the Rust programming language,
which is a rather abnormal programs programming language that has been gaining
traction. There are a pair of explicit causes we desired to perform so:

• Rust requires many supreme practices by default and prevents no longer abnormal mistakes
allowed by C and C++. In most conditions, there would likely likely be finest one come to perform issues, and that come
is the legit come. C++ can perform a complete lot of the the same issues that Rust can, alternatively even
its security ingredients are plagued by unsafe habits that is distracting and
complicated to educate (e.g. Rust’s Likelihood and C++’s std::no longer compulsory perform the
the same mutter conceptually, alternatively the latter has 3 programs to extract an inside of
fee, two of which would likely per likelihood effectively be unsafe).
• Rust’s compiler errors are fine extra tutorial than these of diversified
languages. The core Rust group has spent reasonably a pair of time making compiler
messages informative and uncomplicated to be taught, even providing substantial alternate choices for
fixing issues when there would likely likely be an error. In some conditions, programming in Rust is a
bit fancy having a dialog with the compiler, where the compiler teaches
you about why what you’re doing is unsafe.
• Classes realized from programming in Rust are acceptable to programming in C
and C++. In some programs, Rust is a response to a really very prolonged time of no longer abnormal mistakes in
C/C++, and in instructing why the language is designed the come it is, we’re in a neighborhood to
focal level on many conditions of subtly broken C/C++ code and survey how we’re in a neighborhood to perform
better. All of the methodology thru which at some level of the quarter, a pair of faculty students in our class talked about that
whereas engaged on assignments for CS 110, they felt fancy that they’d a little bit
Rust compiler in their heads highlighting possession errors in their C++ code.
• Rust is an up-and-coming language with staunch momentum and accurate doable to
replace C and C++ code. I idea it being precious for school college students’ futures.

Along with to instructing programming in Rust, we additionally desired to be sure to
focal level on keep collectively Rust classes to C++ and exhaust tools to toughen the
effective of C++ code. C++ has added many estimable security ingredients over the righteous 20
years to abet prevent no longer abnormal considerations. Additionally, many static and dynamic evaluation
tools method additionally been developed such as linters, sanitizers, and fuzzers that
abet to settle bugs in capabilities, and we desired to exclaim college students
incorporate these tools acceptable into a workflow to unravel mistakes early in pattern.

I got’t express that we learned the legit come to educate security, alternatively as I’ll
focal level on later, this come ended up working decently smartly. I fancy to
hear any diversified thoughts about programs lets come this!

## Summary of the class

We registered CS 110L as an
no longer compulsory two-unit supplemental course to CS 110, which is our 2d core
programs class and covers filesystems, multiprocessing, multithreading, and
networking. (The frequent undergraduate course load is 15 fashions. A two unit
class is anticipated to require six hours/week of time.)

Whereas it may possibly likely likely likely per likelihood effectively method been better to perform this a standalone class, we registered it
as a supplemental class for 2 causes:

• It allowed us to extra with out considerations experiment with bringing discussions of security
and security nearer to the core curriculum, as discussed previously.
• One-to-two unit supplemental classes are extra with out considerations authorized and enable for
extra improvisation for the length of the quarter.

This positioned some extra constraints on our class, as we would likely likely effectively method most current to be sure the
fabric used to be linked to college students on the 2d working thru CS 110. Balancing
conflicting pursuits used to be refined within the starting space, as there used to be plenty of of
supplemental CS 110 fabric that will perchance likely method been indubitably consideration-grabbing to focal level on
about alternatively no longer linked to security, and it used to be additionally refined to agenda the
class so as that college students would method lined all prerequisite fabric in CS 110
before we talked about it.

### Lectures

Lectures had been 50 minutes prolonged, taught twice a week over Zoom. Striking forward our
fabric in fifty minutes used to be reasonably piquant, and within the raze, lets
relief in mind making this a 3 unit class so as that lectures don’t indubitably indubitably feel so rushed.
Additionally, instructing over Zoom used to be very refined before every thing; I felt fancy I was appropriate
talking at an inanimate digicam, making it laborious to indubitably indubitably feel engaged, and I had a
laborious time pacing and gauging college students’ determining as I couldn’t indubitably idea
college students’ faces. We bought better at it as the quarter went on, alternatively.

Yow will detect all lecture gifts on-line
acceptable right here. Appropriate right here’s a extreme-stage
overview of what we lined:

#### Reminiscence security

Rust depends on an possession mannequin to forestall reminiscence errors such as reminiscence
leaks, double frees, exhaust-after frees, iterator invalidations, and extra.
Studying purpose inside of Rust’s mannequin would likely be piquant for more moderen
programmers, alternatively Rust merely enforces habits that staunch C/C++ programmers
already exhaust to jot down safer code.

#### Replace approaches to error dealing with

College college students are already accustomed to exceptions, so we talked about why
exceptions infrequently plunge quick, and we discussed the consultants and cons of dealing with
errors by return values, as smartly as how Rust does this with Likelihood and
.

#### Multiprocessing security

CS 110 spends a pair of weeks introducing fork, pipes, and indicators. We spent a
lecture and a half summarizing several no longer abnormal considerations with the utilization of these
primitives straight away, and argued that you are going to perform to exhaust elevated-stage abstractions
every time likely. If college students ever perform desire to construct exhaust of these primitives straight away,
we wanted them to be attentive to what to gape out for.

We spent a lecture doing a case detect of how Google Chrome makes exhaust of
multiprocessing to foster isolation between tabs although attackers consider
vulnerabilities within the Chrome sandbox. College college students reported that this used to be one amongst
their authorized lectures, as they bought to idea how our discussions of
virtualization and sandboxing play out in notice.

I indubitably feel Rust’s strengths exclaim essentially the most by come of multithreading.
Rust’s possession mannequin, which forbids having a pair of references to a half of
records whereas a mutable reference exists, already helps prevent many classes of
multithreading errors. Additionally, Rust’s perform system makes exhaust of “marker traits”
known as Sync and
Ship

to expose whether or no longer classes would likely be passed between threads and accessed
similtaneously by a pair of threads. The exhaust of this perform system, the compiler
understands that records friendly by a mutex is salvage to score entry to similtaneously,
whereas a no longer abnormal buffer may possibly likely no longer be, and it may possibly likely likely likely per likelihood effectively no longer enable you to jot down code that has
records races.

#### Networking and system perform

We took a quick consider at security from the perspective of programs perform: how perform
you relief important programs working and forestall attackers from compromising
records? We talked about load balancing (with load balancers, DNS, and IP anycast)
and fault tolerance, and later had college students keep into attain a load balancer. We additionally
had an records security lecture that emphasised the significance of securing
the course of least resistance (arguing that databases such as Elasticsearch perform
it too straightforward to be insecure) as smartly as the significance of creating certain dependencies
are saved up to this level.

#### Nonblocking I/O

We spent a week centered on nonblocking I/O and programming with async/defend conscious for.
This has nothing to perform with security alternatively contributed to the utility engineering
ingredient of the class; within the closing mission, we requested college students to take a look at and
disagreement the efficiency of multiplexing the utilization of multithreading with that of
the utilization of nonblocking I/O. Though it feels fancy a restricted diversion, I indubitably feel this
used to be a indubitably estimable topic to exclaim college students to, as async/defend conscious for makes the
ergonomics of nonblocking I/O straightforward substantial for school college students to indubitably exhaust in
network-race capabilities.

#### Safety in C++

We fleet looked at how fabric from the class would likely be utilized to C++ with
C++11, 17, and 20 language ingredients. Looking back, I desire we had spent extra
time talking about write staunch C++ code and exhaust tooling to unravel
no longer abnormal mistakes. As we outlined to college students, Rust is a giant language and a
fine come to be taught about better coding practices, alternatively as Rust is highly abnormal
and most programs codebases are quiet in C or C++, it’s important to fancy
work efficiently in these languages. Though Rust conceptually maps
smartly to more moderen C++ language
ingredients
,
the C++ analogs are poorly designed (in my fancy) with some programs to
unintentionally screw up (e.g. std::no longer compulsory does nullopt tests need to you happen to make employ of
.fee() to retrieve the inside of fee, alternatively no longer need to you happen to make employ of the * or ->
operators to perform that). We rushed thru these restricted print, and it may possibly likely likely likely per likelihood effectively method been
better for school college students to score notice indubitably the utilization of these ingredients.
Additionally, the C++ ecosystem has so many estimable tools for catching mistakes
or execrable habits (since the compiler doesn’t perform fine by default), and we are able to be in a neighborhood to perform to
method allocated time previous legislation to exhibiting college students exhaust these tools.

### Assignments

This class had two sorts of assignments: weekly inform routines, which method been supposed
to be lightweight reinforcement of the fabric we discussed in lecture every
week, and initiatives, which method been extra fine and would give college students
notice with setting up extra refined utility. We additionally gave college students the
methodology to substitute a week’s inform routines with a weblog keep up about one thing they
found out consideration-grabbing, and we allowed college students to substitute a mission with a
diversified mission extra linked to their backgrounds or pursuits (e.g. someone
with abilities with personal computer graphics would likely be extra drawn to implementing
a parallel raytracer in Rust). Sadly, no individual took us up on these gifts, alternatively we
cherished having this device in predicament and it’s one thing I fancy to perform as soon as more
within the raze.

We inspired college students to partner up for the two initiatives. I indubitably feel this used to be
indubitably precious for the college students that ended up partnering, and the feedback in
our surveys used to be very certain. There would likely likely be fine extra perform allowing for the elevated
initiatives, so it’s substantial for school college students to be capable of focal level on and debate alternate choices,
and I indubitably feel they realized lots from every diversified in phrases of finding out from every
others’ workflows and finding out exhaust nifty Rust syntax tricks.

Yow will detect your complete assignments on the course
internet internet internet page
.

There had been too many assignments to succinctly summarize acceptable right here, alternatively to expose an
instance, my authorized mission used to be the most attention-grabbing
mission
,
which had college students keep into attain an HTTP load balancer known as balancebeam. In
addition to distributing requests across upstream servers, college students’ load
balancers had been anticipated to make stronger failover with passive and shimmering effectively being
tests as smartly as venerable price limiting. The predominant focal level of this mission used to be
to beget a examine writing salvage, multithreaded code within the context of a
extreme-efficiency network utility. As a secondary focal level, we wanted college students
to score notice with evaluating and making utility perform choices that
affect code simplicity and efficiency. To this defend, we didn’t exclaim college students
how to keep into attain any of the requirements (although we did give them a pair of
alternate choices to birth with). Additionally, we utilized an computerized benchmarking instrument
known as balancebench that robotically
benchmarks every git commit so as that college students can idea how perform choices method an designate on
efficiency. Is it better to perform a thread pool with extra or fewer threads? How
does nonblocking I/O indubitably method an designate on efficiency traits? Which
synchronization primitives are most substantial for reducing latency? College college students had been
interesting to idea benchmark results for the length of their commit history (instance
acceptable right here), and a
compete in a marvelous are available opposition to every diversified.

This mission worked reasonably smartly within the utilization of on the subject of your complete fabric from the
quarter and piquant college students to jot down salvage Rust code to manufacture a
extreme-efficiency utility. I indubitably feel this mission used to be perform-ended substantial
that college students had been interesting to settle possession and perform their very personal choices, alternatively no longer
so perform-ended that they felt perplexed about where to birth or score
anything else else conducted. The mission scope used to be piquant substantial to perform college students
indubitably beget religion alter score entry to to shared records structures, alternatively quick
substantial to no longer be overwhelming. There are some no longer easy edges to iron out with
regards to balancebench (most critically, because it is speed on conditions which would likely per likelihood effectively be
dynamically spun up in Digitalocean, network efficiency between the conditions
varies for the length of the day, so benchmark results desire to no longer essentially the most consistent),
alternatively we all had reasonably a pair of stress-free with it. I fancy to jot down a extra detailed weblog
keep up about this mission if folks are alive to.

## Explore results

Overall, I’m extraordinarily happy with how the class went. College college students reported
finding out lots from the class, responding 4.8/5 to “how fine did you be taught” and
“how ambiance friendly used to be the instruction you bought” on the legit course explore,
and extraordinarily suggested it for diversified college students interested within the class within the
future.

In step with stride taking a look out results, our predominant historical level used to be attempting to pack too fine into
a restricted class. A handful of faculty students fine that lectures infrequently went too
snappy and assignments had been infrequently too formidable for a 2-unit class. These are
entirely appropriate complaints.

Along with to the questions about the legit course explore (which would likely per likelihood effectively be too
generic to be substantial), we additionally did our personal defend-of-quarter surveying. I’ve
excerpted a pair of of the responses I believed had been most consideration-grabbing/insightful.
There would likely likely be a pair of evident sampling bias acceptable right here, as college students that didn’t abilities the
class are a lot less at likelihood of proceed any feedback in anyway on an no longer compulsory explore, alternatively
we had been very diligent about surveying college students for the length of the quarter and we
that is the legit illustration now we method.

#### All of the methodology thru which at some level of the quarter, what fabric stood out to you essentially the most?

The most prevalent matters that shut to to mind are records possession, enums,
alternate alternate choices/results, and synchronization. My proudest 2d in CS110L used to be
ending the DEET debugger. That mission had culminated so fine of the
classes most linked matters up to that level and marked the extent where I
felt fancy I was indubitably starting to score a unravel of Rust. As for plenty of stress-free, I’d
tell that used to be the proxy mission. By that level, we had shut to to grips with Rust
and had been interesting to keep into attain some reasonably chilly ingredients whereas inserting collectively a

Wow – finding out Rust used to be unparalleled. The Google Chrome case detect used to be fine –
talking about unsafe code examples in waitpid used to be chilly, async programming used to be
wild.. so fine entails mind when centered on this class

Since I had some background in Rust already, I indubitably feel it indubitably began to hit
after we moved into the 2d half of the quarter. The dialogue of Google
Chrome & Mozilla Firefox used to be a spotlight – fine consideration-grabbing and it gave
staunch accurate-world motivation for why Rust is essential. The networking part
used to be additionally very smartly taught (fine diagrams!) and taking part. Plus, I cherished
Sergio’s lecture! Would method been chilly to construct exhaust of some of his libraries for a
mission or mission.

I cherished the controversy on broader security alternate choices. Love the time we spoke about
chaos engineering and the methodology thru which Netflix makes exhaust of that to perform their programs extra
sturdy. I additionally cherished the very starting space of the class where we spoke about
buffer overflows

#### What had been your two or three authorized assignments and why?

As talked about in a dilapidated response, I indubitably cherished both initiatives. No longer finest
did it indubitably indubitably feel fancy I was interesting to indubitably be taught lots from the initiatives, alternatively the
partner ingredient helped a ton to perform the work abilities extra delectable. Additionally,
they’d been both very abnormal in comparability to any diversified CS mission I indubitably method
worked on at Stanford (as a replace of for the 110 proxy mission as to be
anticipated). We’ve all spent fine time the utilization of debuggers alternatively now we’re in a neighborhood to all
tell that we’ve made one too! Whereas fine straightforward, I indubitably most current the
farm meets multithreading mission [week 6 exercises] because it went a
prolonged come to exclaim how far we’ve shut to from the starting of the quarter after we
spent hours implementing hangman (lol).

My favorites had been Proj 1, because I by no manner indubitably imagined indubitably writing a
debugger and it used to be chilly to idea how they work, and the channels mission,
appropriate because channels are indubitably chilly and solved the area very elegantly.

I cherished the channel mapreduce mission because it wasn’t overwhelming, alternatively
it used to be complicated substantial to score you to indubitably beget religion your perform. I additionally
cherished the two elevated initiatives thanks to the chilly outcomes of both.

Positively the two initiatives! It’s appropriate staunch to score a exiguous extra within the weeds
with some extra complicated capabilities. Each of the initiatives had been indubitably smartly
scaffolded and the benchmarking instrument for Enterprise 2 used to be fine. They felt extra
polished than amongst the CS 110 assignments which is asserting lots for a
first-time course! I additionally cherished the Farm meets multithreading one because I
settle into accout doing that CS 110 mission and it used to be so fine more straightforward the utilization of
multithreading in Rust haha.

#### What alternate choices perform you method on what we are able to be in a neighborhood to perform to perform with the class? Assure it as soon as more? Mix diversified fabric? Did the protection theme indubitably indubitably feel precious and did you indubitably indubitably feel it worked smartly, or would it method been better to perform this a Rust language class as a replace of a no longer abnormal security class?

Assure it as soon as more 10000000000%. The protection theme match completely because it had me
indulge in Rust. The arc of this quarter for me used to be: I abominate rust -> I sorta
idea why you’d exhaust rust alternatively I abominate rust -> Rust makes this concurrency stuff
very straightforward.. -> I deserve to continue with Rust and exhaust the classes I’ve
realized to perform my C++ better. I wouldn’t method had this arc if this used to be appropriate
a Rust language class – I doubtlessly would’ve hand over since I wouldn’t method viewed
the motive. Since you all acknowledged it had better security ingredients, I desired to
idea what that used to be, and so I certain to perform and score at some level of the laborious ingredients.
Framing it with security is a giant come to unravel folks alive to / having them
to glance out abnormal issues!

This used to be a giant class and so it’d be fine if it had been taught as soon as more. I perform
beget religion the protection theme had fee, alternatively I would need most smartly-most current shedding some of
it for additonal Rust thunder discipline fabric.

I indubitably feel I would method cherished to idea extra thunder discipline fabric touching on to the no longer abnormal security and
the method in which it linked to those matters. Rust used to be an honest appropriate-attempting instrument to detect these
tips, alternatively I indubitably feel I cherished the protection a part of it extra.

I indubitably feel the class used to be fine. I’m hesitant to counsel too many adjustments because
I wouldn’t desire to settle it too removed from its enviornment of curiosity which (I indubitably indubitably feel) is
introducing rather abnormal CS college students to Rust. I indubitably feel making it a security
class rather than a Rust class makes complete sense – severely better for
motivation. I entirely beget religion we additionally need extra elevated-stage classes on
these matters although. As an illustration, I desire CS 140E in Rust used to be an ongoing
mutter. I indubitably feel we are able to be in a neighborhood to perform to doubtlessly additionally method a class that begins where CS 242
/ Sergio’s lecture left off – assuming desire to haves in PL, compilers and
programs and going from there deeper into language, library and system perform.

## Takeaways

As talked about, this class used to be an experiment in some programs. Listed under are amongst the
questions we had desired to transfer attempting out alternate choices to:

#### Is there a predicament for a security class in a CS curriculum?

Like a flash decision: I’m quiet no longer 100% certain!

Extended decision: I indubitably feel this class worked very smartly and bought college students to beget religion extra
fastidiously and severely touching on to the code they write. I indubitably feel some fabric would likely likely effectively
be worked into core CS classes as a replace of being in a separate class (e.g. we
would likely likely effectively focal level on channels in CS 110 and bid college students exhaust sanitizers to
take a look at for doable trip stipulations), alternatively having a separate class used to be extraordinarily
substantial for experimenting with elevated adjustments, such as instructing Rust. As core
classes toughen, there would likely be a lot less of a need for a security class, alternatively I indubitably feel
there’ll continually be a predicament for a class that looks at what’s commonly going
rotten in programs and the methodology thru which we’re in a neighborhood to toughen practices to manufacture better programs.

#### What’s it fancy for school college students to be taught Rust in a quick whereas body?

As folks in most conditions tell, Rust has a steep finding out curve, and it’s indubitably laborious to
score productive with it in a quick interval of time. Here is reflected within the
2019 Rust language
explore
, and it’s
additionally reflected within the student frustration within the most well-known few weeks of our weekly
explore responses. Irrespective of this, even with finest a pair of weeks, it’s at probability of
score college students to a pair of extent where they’re setting up utility they’re cheerful with.

We did a pair of issues that I indubitably feel helped with this:

• Distill Rust as fine as likely acceptable into a pair of essential ingredients, and focal level finest
on these ingredients. Rust has such an fine language ground that if we had
desired to educate Rust completely, there wouldn’t method been time for anything else else
else. We explicitly told college students “that need to no longer a Rust class!” in mumble to
abet predicament expectations.
• Lend a hand why Rust is the come it is the utilization of easy explanations and examples.
College college students in most conditions score pissed off by the language being refined, because
it looks straightforward issues which would likely per likelihood effectively be no longer abnormal in diversified languages are infrequently no longer
allowed in Rust. Acknowledging this frustration and explaining why rustc is
complaining helps college students to score on board extra fleet, and it additionally helps
them to acknowledge doubtlessly problematic patterns after they’re programming
in diversified languages.
• Pause far from mentions of complicated terminology when likely. Rust has reasonably a pair of
legit terminology, infrequently coming from PL belief or to hand
programming, neither of which our purpose target market has been exposed to.

#### Would likely per likelihood quiet we try to consist of Rust into the Stanford core curriculum?

Possibly no longer, no longer but.

Stanford has two core programs classes: CS 107 (which introduces C programming)
and CS 110 (which teaches multiprocessing, multithreading, and networking in
C++). Rust sits weirdly in between the two classes. The possession mannequin
positively matches better with CS 107 fabric, alternatively a giant half of Rust’s attraction
is in its effectiveness in capabilities that exhaust multithreading and/or networking,
and it’d be caring to exhaust so fine effort combating the borrow checker
with out determining concurrency-mainly basically basically based mostly entirely motivations for it.

Whereas I indubitably feel Rust may possibly likely be poorly motivated in CS 107, I indubitably feel it is extra
poorly commended for CS 110. CS 110 may possibly likely no longer be appropriate about how we perform issues, alternatively additionally
why – why are issues designed the come they’re, and if we score certain bugs
or efficiency traits, why is that? I don’t beget religion the why comes
thru substantial in Rust. It gifts you with a philosophy and says, “notice
this philosophy and it may possibly likely likely likely per likelihood effectively relief you salvage.” In final consequence, there isn’t room for
deviation in conception. That it is likely you may possibly perchance perchance likely’t abilities why no longer, since the compiler
got’t enable you to. And even though it may possibly likely likely likely per likelihood effectively try to exclaim why no longer by error messages,
seeing is believing. Staring at a program break and burn isn’t the associated to
getting a one or two line compiler error that explains the come you deviated from
the rust mannequin. Instructing about
multiprocessing is additionally refined in Rust, as the no longer abnormal library has no come
to call fork, and designate dealing with give a settle to is equally non-existent. Rust has
staunch abstractions that work within the no longer abnormal case, alternatively a staunch programs programmer
will method to grab how they work under the hood, and it’s laborious for school college students can’t
indubitably catch intuition for what’s going on within the machine if it’s plastered
over with abstractions.

I additionally beget religion it’s laborious for school college students to indulge in Rust with out having first
skilled C and C++. Two college students space it smartly:

I don’t indubitably agree [that Rust would be a better first language]. Coding in
C++ for 110 allowed me sustain the errors that Rust used to be conserving me from
even MORE. If I appropriate relied on Rust, I would method malicious program-free capabilities, alternatively I
wouldn’t sustain what it used to be conserving me from. As an illustration, in Assign5
for 110(aggregator), a no longer abnormal error used to be passing reference to records that will perchance likely
exit of scope to a thread (an error rust would by no manner enable thanks to
lifetimes). After I ran into that error, issues fleet clicked. I remembered
that I will method to be pondering of lifetimes myself in C++, appropriate as Rust had conducted
for me. Seeing both languages collectively for the length of the class appropriate made me
sustain the errors extra deeply, which I indubitably feel I would’ve lost if 110 used to be
finest taught within the safer language.

I don’t beget religion rust is a staunch instructing language for on the subject of the reverse motive
I don’t beget religion python is a staunch language for instructing – you may possibly perchance perchance likely desire to be taught
programming in a language that can per likelihood effectively screw you over, that come you be taught better
habits. Rust is completely appropriate need to you’ve gotten your feet within the water with a
language fancy C and you’re painfully attentive to the pains that it is going to perform to perform. My
partner and I had been talking about it for the length of the righteous mission – the rust
compiler on the subject of makes some ingredients of assignments too straightforward. Most reputedly from a
finding out standpoint that’s fine – you don’t need college students spending hours
over slack reminiscence bugs, alternatively I err on the ingredient of ambiance up them cautious vs
making them reliant on a sturdy compiler.

In explicit since programs code on the expose time is quiet dominated by C and C++, I indubitably feel
it’s estimable for school college students to be capable of beget the merit of the ensures of Rust
whereas quiet taking be conscious of what the compiler is doing for you and conserving
you from.

#### Would likely per likelihood quiet this be a standalone class, or will method to it defend an addon to CS 110?

I’m no longer certain about this one. I’m centered on providing this class as soon as more, and
I’m debating whether or no longer to produce it within the the same perform, or to perform it a separate
class.

On one hand, registering it as a separate class would enable us to focal level on
security matters with out needing to beget a examine alongside with the CS 110 syllabus. This
flexibility may possibly likely be extraordinarily estimable for being interesting to exhaust time previous legislation on C++
security and tooling, since we would likely likely effectively be interesting to transfer our dialogue of
multithreading to sit down down down down earlier, leaving time previous legislation on the head of the course,
with out being eager about working before CS 110. Additionally, I indubitably feel it may possibly likely likely likely per likelihood effectively
be staunch to dedicate extra fashions to the class, because it took time previous legislation than the
lifestyles fancy two-unit course.

On the different hand, I indubitably feel making it a restricted, two-unit class made it extra accessible to
extra folks, and I indubitably feel the two classes ended up complimenting every diversified
indubitably smartly (CS 110L made it more straightforward for school college students to keep into attain and debug CS 110
assignments, and CS 110 gave college students better context and appreciation for the
considerations we discussed in CS 110L).

Whereas you method thoughts on this, let me know.

## Conventional instructing classes realized

We tried out a pair of issues this quarter that I indubitably cherished:

• Since this course used to be taught on-line thanks to COVID-19, we tried to transfer attempting out programs to
perform the community that will perchance likely method ordinarily developed between folks
having a sit down up for lecture to birth or engaged on assignments for the length of place of job hours.
We had a course Slack for Q&A, bulletins, and random records articles
linked to course fabric, and I indubitably feel this worked very efficiently, in phase
thanks to our restricted class dimension. In that Slack, we created a #reflections
channel and introduced on college students every week to keep up about issues they learned
consideration-grabbing and/or had been combating. This helped college students to idea that
they weren’t on my absorb to to find facets of Rust complicated, and it helped us
settle what fabric college students had been combating. We additionally hosted No longer
Field of alternate Hours, which used to be a casual Zoom call dedicated for anything else else as a replace of
course fabric. I cherished attending to realise college students better thru this, and
in our surveys, college students commented that they cherished attending to realise every
diversified as smartly.
• As talked about, we inspired college students to substitute weekly inform routines with a weblog
keep up or initiatives with but every different belief. Even supposing no individual ended up doing
this, we did focus on with a pair of faculty students about alternate choices that they’d, and I indubitably feel it’s
fine for school college students to perform this probability on hand.
• We had weekly surveys and had been constantly soliciting feedback. Here is able to per likelihood effectively
perform reasonably a pair of noise if no longer done smartly, alternatively I indubitably feel this used to be substantial for
us to toughen the class for the length of the quarter, and it used to be additionally substantial for
getting effective enter (as a replace of polling for feedback on the quarter’s defend,
when college students method already forgotten your complete specifics of issues they
cherished/disliked and appropriate desire to transfer on).

I additionally beget religion I realized lots about mission perform for the length of this class. It used to be
consideration-grabbing finding out steadiness instructing issues in college and having
college students be taught it on the assignments. That it is likely you may possibly perchance perchance likely’t bid every thing in lecture,
and it’s important for school college students to synthesize fabric for themselves. It’s
extra rewarding and ambiance friendly within the occasion you likely can records them to consider issues on their
personal for the length of an mission – they’ll settle into accout the scurry severely better than they
settle into accout snippets from lecture. However for certain, this makes assignments extra
refined and time-shimmering, and would likely likely effectively consequence in execrable outcomes if college students plunge off
the course you had in mind. It used to be additionally consideration-grabbing finding out steadiness
scaffolding in an mission. At the side of scaffolding (e.g. skeleton capabilities
and unit tests) makes assignments speed smoother, alternatively it additionally reduces the predicament
for student creativity. All of the methodology thru which thru this class, we had a combine of assignments.
Some college students acknowledged they most current the scaffolded inform routines, and reasonably fine
every person reported spending a lot less time on these assignments, alternatively diversified college students
acknowledged they cherished the perform-ended inform routines better.

## Conclusion

Safety is a tall area in programs programming, and we beget religion it is shimmering to
method a class instructing college students about no longer abnormal pitfalls, defend far from them, and
where new tools would likely likely effectively plunge quick.

Yow will detect the tubby course gifts on the fetch internet internet page
acceptable right here. Whereas you’d fancy to idea
mission starter code, please electronic mail me.

Placing this class collectively used to be indubitably refined. We designed the class
(alongside side lectures and assignments) from scratch, and there weren’t indubitably any
the same classes to borrow existing curriculum from. We wanted to adapt to an
on-line structure with quick fancy, and college students confronted instability for the length of the
quarter thanks to COVID-19 and nationwide protests. Additionally, I hadn’t indubitably
ever written any Rust code till three weeks before the class started.

On the different hand, this used to be an extraordinarily rewarding abilities, and I realized so fine. We
hope to revise and bid the class as soon as more.

Please contact me within the occasion you method any thoughts or feedback on this class. I’m appropriate
a lowly grad student with little fine abilities setting up personal computer
programs, and I indubitably feel that will likely be a piquant topic to educate, so within the occasion you method any
feedback in anyway, please electronic mail me and I fancy to perform a dialogue!