MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
modern
Search

Why Modern C++ Still Isn't As Safe As Memory-Safe Languages Like Rust and Swift

Monday April 22, 2019. 01:34 AM , from Slashdot
Alex Gaynor is a software engineer at Mozilla working on Firefox, after previously serving as a director of both the Python Software Foundation and the Django Software Foundation.

In a new blog post today, he argues that memory unsafe languages, 'principally C and C++,' induce an exceptional number of security vulnerabilities, and that the industry needs to migrate to memory-safe languages like Rust and Swift by default.
One of the responses I frequently receive is that the problem isn't C and C++ themselves, developers are simply holding them wrong. In particular, I often receive defenses of C++ of the form, 'C++ is safe if you don't use any of the functionality inherited from C' or similarly that if you use modern C++ types and idioms you will be immune from the memory corruption vulnerabilities that plague other projects. I would like to credit C++'s smart pointer types, because they do significantly help. Unfortunately, my experience working on large C++ projects which use modern idioms is that these are not nearly sufficient to stop the flood of vulnerabilities...

Modern C++ idioms introduce many changes which have the potential to improve security: smart pointers better express expected lifetimes, std::span ensures you always have a correct length handy, std::variant provides a safer abstraction for unions. However modern C++ also introduces some incredible new sources of vulnerabilities: lambda capture use-after-free, uninitialized-value optionals, and un-bounds-checked span.
My professional experience writing relatively modern C++, and auditing Rust code (including Rust code that makes significant use of unsafe) is that the safety of modern C++ is simply no match for memory safe by default languages like Rust and Swift (or Python and JavaScript, though I find it rare in life to have a program that makes sense to write in either Python or C++). There are significant challenges to migrating existing, large, C and C++ codebases to a different language -- no one can deny this. Nonetheless, the question simply must be how we can accomplish it, rather than if we should try.

The post highlights what he describes as 'completely modern C++ idioms which produce vulnerabilities' -- including an example of dangling pointers 'despite our meticulous use of smart pointers throughout...'

'Even with the most modern C++ idioms available, the evidence is clear that, at scale, it's simply not possible to hold C++ right.'

Read more of this story at Slashdot.
rss.slashdot.org/~r/Slashdot/slashdot/~3/Hr-Xl-egTUc/why-modern-c-still-isnt-as-safe-as-memory-safe-...
News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Current Date
Mar, Fri 29 - 08:33 CET