Two years ago, Google claimed that the 70% of high severity vulnerabilities in Android were due to memory errors in C and C++ languages that continue to form the basis of the mobile operating system. That data was raised as the reason to then introduce Rust in the development of Android.
Last November, The US National Security Agency (NSA) released a brief report titled ‘Software Memory Safety’ (PDF) in which he explicitly recommended to stop using the ancient (and very popular) programming languages C and C++ in favor of ‘languages with safe memory management’, whose best-known examples would be C#, Java, Ruby or the booming Rust.
But now the Open Standards Project portal has published a document (PDF) that answer the one from the NSAtitled “A call to action: think seriously about security and then do something sensible about it”; its author is none other than Bjarne Stroustrup, a Danish computer professor who created the C++ language in 1979. In this response to the original report, our protagonist launches into an argument against what he perceives as an oversimplification on the part of the US federal agency:
“Now if I considered one of those ‘safe’ languages to be superior to C++ for the range of uses I’m interested in, I wouldn’t view the demise of C/C++ as a negative, but that’s not the case. As described [por la NSA] ‘safe’ is limited to the safety of memory, leaving out a dozen different ways a language could (and will) be used to violate any kind of protection.”
The programmer career in 2017 and in the future (with Javier Santana)
“There is no single definition of security”
Stroustrup is clear that “ignoring security issues would harm large sections of the C++ community and it would undermine a lot of the rest of the work we’re doing to improve C++”, but for that reason he proposes not to give in to those who see Rust and co. as the solution to such problems: “we can achieve various kinds of security through a mix of programming styles, add-on libraries, and static analysis applications“.
An example of such libraries would be SLIMalloc, which according to its author makes C a language “more secure than ‘memory-safe’ languages”. The C++ creator also mentions another document of his authorship (PDF) that “provides a brief summary of the process” that he proposes.
Submits that a static analyzer that adheres to the basic C++ guidelines developed in recent years can ensure code security at a much lower cost than needed to start a code transition to new languages. Some of these guidelines have already been implemented in the static analyzer of MS Visual Studio, or in the Clang-Tidy.
He also points out that if we work in application domains that prioritize performance over type safety, they could “apply security guarantees only when necessary and use our favorite tuning techniques” in all other cases.
Similarly, Stroustrup states that
“Unfortunately, much of C++ code is stuck in the distant past, ignoring improvements, including ways to drastically improve security. [Pero] billions of lines of C++ code aren’t going to magically disappear, and even ‘safe’ code (in any language) will have to call or be called by traditional C or C++ code that offers no specific security guarantees.”
Via | slash dot
Image | Based on original by TheTrueAPlus (via Wikipedia)