大多数情况下提到Tor,指的是用C语言实现的Tor。说起Tor大家会想到安全、隐私,然而事实上,C语言实现的Tor经过十多年的开发迭代,代码已经变成了屎山。
你没看错,用Tor团队的说法,目前C语言实现的Tor的情况是
What's more, our existing C implementation has grown over the years to have a not-so-modular design: nearly everything is connected to everything else, which makes it even more difficult to analyze the code and make safe improvements. One thing that we found, however, was that our existing C code was not modular enough to be easily rewritten. (Rust's security guarantees depend on Rust code interacting with other Rust code, so to get any benefit, you need to rewrite a module at a time rather than just one function at a time.) The parts of the code that were isolated enough to replace were mostly trivial, and seemed not worth the effort—whereas the parts that most needed replacement were to intertwined with each other to practically disentangle. We tried to disentangle our modules, but it proved impractical to do so without destabilizing the codebase.
简单来说,Tor开发团队试着用Rust语言向Tor代码中添加一些新功能,结果发现旧代码耦合在一起,修改一处,其它地方就要出乱子,不得已只好彻底推翻重写。
从前年(2020)开始,Tor开发团队就开始着手用内存安全语言Rust重写Tor,重写后的Tor叫做Arti,架构设计更合理,开发语言Rust当然也更安全。目前Arti已经推出了1.0,可以用于生产环境。
有人会问,Go或Java不也是内存安全语言吗?这个Arti不能用Go或者Java重写吗?
先不谈性能问题,只就语言设计来说,Rust语言的不止有内存安全的特点,它还有很多非常严谨的代码防呆设计来阻止你写错代码,除非你编程思路有问题,或者故意写错代码,否则很难出错。Tor开发团队也有相同的感慨:
At every stage, we've encountered way fewer bugs than during comparable C development. The bugs that we have encountered have almost all been semantic/algorithmic mistakes (real programming issues), not mistakes in using the Rust language and its facilities. Rust has a reputation for being a difficult language with a picky compiler - but the pickiness of the compiler has been a great boon. Generally speaking, if our Rust code compiles and passes its tests, it is much likelier to be correct than our C code under the same conditions.
(在开发过程的每个阶段,我们遇到的错误都比用C语言开发的对应阶段少得多。我们遇到的 bug几乎都是语义/算法错误(即真正的编程问题),而不是使用Rust语言本身和开发设施的错误。Rust以复杂的语言和挑剔的编译器而著称——但是挑剔的编译器是一个很大的优点。一般来说,只要我们的Rust代码编译并通过了测试,那么比起C代码,相同条件下Rust代码就更可能正确。)
除此之外,Arti还在Tor的基础上,添加了很多新的安全特性,例如对流量分析的抵抗能力。
目前安装Arti需要电脑上有Rust编译器,如果你已经安装了Rust编译套件(Cargo),可以运行以下指令安装Arti:
cargo install arti
如果没有安装Rust,可以参考Rust官网的指南安装Rust编译套件