Microsoft: 70 Percent of All Security Bugs Are Memory Safety Issues (zdnet.com) 193
Around 70 percent of all the vulnerabilities in Microsoft products addressed through a security update each year are memory safety issues; a Microsoft engineer revealed last week at a security conference. From a report: Memory safety is a term used by software and security engineers to describe applications that access the operating system's memory in a way that doesn't cause errors. Memory safety bugs happen when software, accidentally or intentionally, accesses system memory in a way that exceeds its allocated size and memory addresses. Users who often read vulnerability reports come across terms over and over again. Terms like buffer overflow, race condition, page fault, null pointer, stack exhaustion, heap exhaustion/corruption, use after free, or double free -- all describe memory safety vulnerabilities. Speaking at the BlueHat security conference in Israel last week, Microsoft security engineer Matt Miller said that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs.
Meaning (Score:5, Funny)
Around 70 percent of all the vulnerabilities in Microsoft products ... are memory safety issues.
They can't remember how to code safely. :-)
Re:Meaning (Score:4, Interesting)
True. Part of the issue is that some languages easily lets you develop programs that don't use memory safely. C/C++ easily let you develop applications that violate memory safety.
You have to be constantly vigilant, and everyone else who develops for the same project has to be constantly vigilant. Mistakes will happen, and nothing will call you out on it unless you do extensive memory safety testing or configure and use some tools that help detect common memory safety issues and hope that you catch anything they don't.
Re: (Score:2, Insightful)
Re: (Score:2)
Ooh, analogies!
Did you know that modern cars have more safety features, meaning that you're much less likely to die in a collision in a modern vehicle, due to things such as airbags, seat belts, crumple zones, automated braking, etc.?
Just like modern, higher level languages give developers enough access to much of the system without requiring you to worry as much about memory safety, most car drivers don't need drag racers to get to work.
Re: (Score:2)
My point was simply that analogies suck, because they can be flipped around on you.
If you want to continue the analogy, safety features do have costs. Either in R&D, per part costs, performance, etc.
Safety in computing has costs and trade-offs as well. Performance impact is there for managed languages, but modern computers are so much faster than older systems that the safety costs are unimportant for most applications, and the added cost of developer time greatly outweighs the much cheaper systems.
Re: (Score:2)
In the case of ABS and traction control, yes indeed.
Re:Meaning (Score:4, Informative)
The modern C++ idiom easily lets you develop applications where you barely touch memory safety yourself, and competent libraries (such as the STL) do all the hard lifting.
C does not let you do this in any natural way.
If you wish to write your own RAII-compliant classes, you do need to book off half a day to watch (and digest) this series of three videos: CppCon 2014: Jon Kalb "Exception-Safe Code, Part I" [youtube.com]
Outrageous investment? Well, it's your life.
Re: (Score:3)
Fair point. If you are careful to not use any of the low level memory allocation functions except in exceptional circumstances, you can easily create modern C++ applications without memory safety issues by sidestepping them entirely.
However, a lot of applications have been developed before these paradigms became common, and I'm sure that a lot of applications have been developed since by developers who didn't know any better or reject them for whatever reason and thus don't use those paradigms.
I guess my cr
Re:Meaning (Score:5, Interesting)
I did low-level code for ~15 years without ever having a memory leak or memory safety bug. Not because I'm especially diligent, but because I was in areas where it just didn't come up. From primitive assembly (with no dynamic memory allocation in the first place, it's hard to screw it up) to C++ done right.
Those odd corner cases are nearly the same set of places where it still makes sense to use low-level languages in the fist place. These days, if you're creating a large C code base where you're constantly allocating and freeing resources, it's almost certainly the wrong tool for the job. OTOH, if half your variables are "const volatile" because they're really memory-mapped sensors, or you only allocate memory at startup because you can't do anything dynamic in your hard realtime system, then it's both the right tool and these memory-use bugs are barely relevant.
Re:Meaning (Score:5, Insightful)
Large systems require a lot of developers, and even the best developer can have a bad day and make a mistake that potentially exposes their application to various memory exploits. Sometimes you have to pay the tax of having better developers, more tools, etc. to make the applications safer.
But, in general, as processors get faster, memory amounts in modern computers gets higher, we should move away from such languages except for projects that require them.
Re: (Score:2)
But, in general, as processors get faster, memory amounts in modern computers gets higher, we should move away from such languages except for projects that require them.
Kind of getting unnecessary though. Type systems have advanced to the point where you can have zero abstractions and memory safety. Nothing will obviate the need for competent programmers though.
Re: (Score:2)
If you have good coders, this is pretty much a non-issue.
And time/resources to think things through, review and revise before pushing it out the door.
Re: (Score:2)
That is more on the architecture and design side, but definitely has a huge impact on overall quality.
Re: (Score:2, Insightful)
The practical reality is that memory safety is a problem. Ideological utopias do not exist. Languages like Rust [rust-lang.org] are trying to mitigate the problem of memory safety in the real world. Forget your ideology and try to find a way forward to some pragmatism.
Re: (Score:3)
The ideology here is with the Rust fanatics that completely ignore that developer quality is critical, regardless of language. While C does allow you to do a lot of dangerous things, a modern compiler will warn you and a competent developer will know how to avoid most of them. The memory problems in C are a symptom, not a root cause and that is what you people consistently get wrong.
Re: (Score:2)
a competent developer will know how to avoid most of them
Re-read the title of the article. 70% of security bugs are memory safety issues. Your ideology is not working. It has failed.
Re: (Score:2)
To say this is the fault of C and C++ is disingenuous.
Read the slides from the talk [github.com]. They specifically mention C++ as a problem to be solved. And they're right.
Re: (Score:3)
To say this is the fault of C and C++ is disingenuous.
Read the slides from the talk [github.com]. They specifically mention C++ as a problem to be solved. And they're right.
C++ allows you to write safe code, much safer than C.
The probelem is C programmers calling themselves C++ programmers when all they're really doing is using a C++ compiler to write C.
Re: (Score:3)
It is a poor craftsman that blames his tools
A good craftsman doesn't use poor tools. Harden up and get some practicality, my son.
Re: (Score:2)
The fallibility of human beings is the root cause. You can mitigate that fallibility or maintain an absolute illusion of control.
PS. do you ride a motor cycle by any chance?
Re: (Score:2)
I don't think you can mitigate that fallibility. You can only try to get humans that have mostly overcome it in the desired application domain.
P.S.: No. Why do you ask? I am not even driving a car because I know I am a bad driver.
Re: (Score:2)
Like any fanatic, you are utterly convinced _you_ have the truth and nobody that disagrees with you can be right. Pathetic. You are dead wrong though, no surprise.
Re: (Score:2)
You are dead wrong though
Microsoft has shown you a study which backs my claims. One of their specific recommendations [github.com] is that they need to move to languages with better memory safety (like Rust).
Show me a study which backs your claims.
Re: (Score:2)
He does not. The reason I can hold my position is that I am an actual expert, not somebody that can only regurgitate marketing propaganda. Sure, memory errors are a problem, but they are just a symptom and fixing them will just move the problem somewhere else, where it may do even more damage. This can only be fixed by addressing the root cause.
Incidentally, he did start with the Ad Hominem and that is what I called "pathetic".
Re: (Score:2)
I am an actual expert
You really aren't. You're just making a baseless claim and doing nothing to refute Microsoft's study.
Show me a study which supports your claim that these mythical perfect programmers will solve everything. Show me evidence. Show me data. I am waiting.
Re: (Score:3)
The ideology here is with the Rust fanatics
How about we have a sensible adult conversatio where we ignore the fanatics of any sort? Does Rust have fanatics who say stupid stuff? Yep. Does C? Oh hell yes. So does C++, python, Ruby, PHP and probably there's even a MUMPS fanatic out there if you look hard enough.
I'm a C++ developer day to day but familiar with lots of languages. I have read about Rust but neverused it in practice and aren't likely to start any time soon for various reasons. However...
While C
Re: (Score:3)
Re: (Score:2)
C, on the other hand, seems to attract a bizarre level of machismo, people absolutely insisting that C is the best, and the only reason why there's so much terrible C written is that the average programmer is worse than they are, because C, you know, it needs to be written by a true expert. A REAL C programmer. Programming in REAL C. Alongside REAL men, REAL women, and REAL small furry creatures from Alpha Centauri.
I like the attidude (see sibling post) that because tools can't make bad programmers good, th
Re: (Score:2)
And you also do not get it. Tools are nice, but tools cannot fix bad coders. In C that is just more obvious than in Rust. Hence while Rust may offer some benefits, they are nowhere near as good as claimed because its proponents gloss over the fact that bad coders will then just make other mistakes. Now, the thing is that I have seen these claims of "great new tool will solve all problems" (I exaggerate, of course) numerous times and they _never_ pan out. Hence I am not easily impressed anymore.
What I am obj
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Look, C is dangerous.
Nope. Bad coders are dangerous and they are so in any language.
Re: (Score:2)
Well, let me clarify that a bit, since you seem to actually trying now instead of just doing the thing where you are utterly convinced to have the truth and everything else must be squashed. So:
1. Bad coders are a huge danger. They are the root-cause for most problems with security and other bugs, unmaintainable code and most of what is wring with coding today.
2. Languages are a minor issue. They can somewhat reduce problems and cost, but they cannot and will never be able to increase developer quality. The
Re: (Score:2)
Re: (Score:2)
And what language is Rust written in
Rust is written in Rust [wikipedia.org], and before that it was written in OCaml. It's been self-hosted for quite some time.
Re: Meaning (Score:2)
Re: (Score:2)
The question was what language
Microsoft has VERY poor management, apparently. (Score:2)
Microsoft Admits Normal Windows 10 Users Are 'Testing' Unstable Updates [forbes.com] (Dec. 12, 2018)
Doesn't help if you remember (Score:4, Insightful)
They can't remember how to code safely. :-)
The problem is, even if you know full well how to "code safely" all it takes is one slip, or some interaction with another part of the system you didn't fully understand, and you are done.
That is why for most things, sadly languages that allow such slip-ups simply have to go. We cannot live like this forever in a world of chaos where any system of any size is just moments away from disaster or infiltration. As an industry we have to somehow ratchet ourselves forward, even if only a little bit.
Re: Doesn't help if you remember (Score:2)
In what way is Golang not fast?
I'm not a fan. But it's faster than c# or Java.
Re: (Score:2)
1. rewrite everything in Rust or very good C++ or some other language that is provably secure and just as fast as the C that these things are written in (so expensive and time consuming that it's practically impossible)
That is exactly what I am saying. You say it's too expensive. How many billions of customers must be hacked until it is considered viable? How much system downtime, lost or corrupted data, cooperate secrets leaked forever?
We can't do everything at once but we could also do at least a think
Re: (Score:2)
MS should really be abandoning Windows and trying to figure out how to either use Linux
Seems like a bad idea. In 2018 the top 6 products with the most security flaws [cvedetails.com] were all Linux products. How do you account for that?
Re: Doesn't help if you remember (Score:4, Informative)
The question is whether these 900+ vulnerabilities are 300 duplicated vulnerabilities for each branch, or whether they are more heavily biased towards the testing or stable branches.
Once you get past Debian and Android, the next ones are at around the 300 mark, and Windows 10 is in the top ten.
And if you really want to compare Linux, not that RedHat Enterprise Linux is much further down the list than even Windows Server, much less Windows 10.
Re: (Score:2)
Uhm, first one with 900+ vulnerabilities is Debian. What they don't indicate is what branch or branches of Debian is included.
plus debian comes with a lot of non critical stuff, applications, out of the box.
Re: (Score:2)
I do not know how many vulnerabilities would exist if we included everything that uses the MS ecosystem as this does with Debian, it would be a very large number. Suffice it to say those are not the bugs MS is talking about MS fixing.
There were 775 Windows 10 vulnerabilities in 2018, there were 604 "Linux Kernel" vulnerabilities in 2018 (which kernels, and how many were affected by the largest set of these, is unknown, but by definition 604), there were 385 FreeBSD kernel vulnerabilities in 2018.
MS is relea
Re: (Score:3)
I do not know how many vulnerabilities would exist if we included everything that uses the MS ecosystem as this does with Debian
So you're saying Debian's development, packaging, and distribution model is fundamentally flawed from a security point of view? That doesn't inspire me to use Debian.
There were 775 Windows 10 vulnerabilities in 2018
There were 255 Windows 10 vulnerabilities in 2018. I don't know where you're getting 775 from. You're probably confusing it with the "all time leaders" vulnerability counts. If we look at the all time leaders, Debian is number 1 and "Linux Kernel" is number 2.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Around 70 percent of all the vulnerabilities in Microsoft products ... are memory safety issues.
They can't remember how to code safely. :-)
Not at all. They have a huge legacy codebase. Rewriting all those strcpy and strncpy calls to strlcpy takes time.
And except for modern C++, C and C++ historically lacked reference counting, which gives you the additional joy of debugging use-after-free violations. These bugs are remarkably easy to cause and remarkably hard to detect until something just randomly crashes.
A missing null is a terrible thing. (Score:3)
I wonder how much the people who designed the C string (string of characters, implicitly terminated by a null) knew of its potential issues in the long term, and if they would have gone with ptr+length instead if they knew?
Re: (Score:3)
I am sure they were aware. They likely just badly misjudged the typical quality of coders.
Re: (Score:3)
I am sure they were aware. They likely just badly misjudged the typical quality of coders.
More likely they just didn't anticipate the degree of maliciousness we have today and they probably also didn't expect C to have such a long lifespan.
Re: (Score:3)
To be fair, a lot of C's early use was to create tools for trusted users that were run from a commandline and typically didn't even need to worry too much about memory, as the OS would deal with clearing up anything the application didn't clear up after it exits.
I'm not sure that the designers could have predicted the rise of the internet, and our globally connected world where inherent trust just isn't applicable.
Re: (Score:2)
To be fair, a lot of C's early use was to create tools for trusted users that were run from a commandline and typically didn't even need to worry too much about memory, as the OS would deal with clearing up anything the application didn't clear up after it exits.
I'm not sure that the designers could have predicted the rise of the internet, and our globally connected world where inherent trust just isn't applicable.
True, but C has also suffered from stagnant development and downright neglect. C could have benefitted immensely from some project like the C++ boost project whose features get integrated into progressive C updates a long time ago.
Re: (Score:2)
They might have, but doing so wouldn't have avoided the problem -- even with a ptr+length scheme, you're still dealing with pointer artihmentic, and so it's still quite easy to mess up and read/write outside of your buffer's bounds, if you aren't careful.
An effective fix requires language support, with the holy grail being a language where a buggy or insecure program simply won't compile, and therefore any program that does compile is much more likely to be secure/bug-free. Languages like C# and Rust are h
Re: (Score:2)
It would have brought a different set of problems, for sure. And we can never know what hundreds of thousands of developers, etc. would have discovered about it. But, it certainly would have made certain classes of issues pretty much non-existent.
Re: (Score:2)
Languages like C# and Rust are headed in that direction, although I think there is still a long way to go before we have a language that is both "safe" and efficient.
You say that like Rust isn't "safe" and efficient.
Re: (Score:2)
safe and efficient, and simple and comprehensible.
The former two for obvious reasons, and the latter two so that it is adopted widely for development, and so that it is maintainable.
Re: (Score:2)
Yeah, but other languages that existed at the time (Pascal) had run-time bounds checking, and there's no reason C couldn't have done that too, with the addition of a slightly richer string syntax. Though they couldn't have anticipated the long-term securit
Re: (Score:2)
I do remember one of the creators of C describing that particular decision - and it was a decision - to be their greatest mistake. I loathe that language, along with those which share these deficiencies.
Re: (Score:2)
Spoken like a true moron. I suppose lack of memory safety is a "decision" for processor manufacturers too. How dare assemblers not implement proper heap protection!
If you can't understand tools and how they are used, find something else. Your inability to code properly is not C's fault.
Re: (Score:2)
...I suppose lack of memory safety is a "decision" for processor manufacturers too. How dare assemblers not implement proper heap protection!
.
Actually, it was a decision [wikipedia.org], and some vendors made different choices. Quite successful choices.
while (*p++=*q++);
when you actually mean
p = q;
(and the idiom depends on idiosyncrasies of the PDP-11 instruction set), was a stupid decision.
Re: (Score:2)
I was just learning how wonderful the VAX Descriptor could be right when this char *c=null thing took hold in WinNT. No easy way to double check your string lengths or anything. WinNT 3.1 even pushed GDI into the kernel, and they got what they expected. Memory performance right when the memory price point was becoming really cheap, and lots and lots of memory bugs.
Somehow in my sleep, I could hear Dave Cutler screaming "Noooooooooo"!!!!!!!.
Re:A missing null is a terrible thing. (Score:5, Interesting)
Joel Spolsky has provided some background [joelonsoftware.com] on this.
Re: (Score:3)
I wonder how much the people who designed the C string (string of characters, implicitly terminated by a null) knew of its potential issues in the long term, and if they would have gone with ptr+length instead if they knew?
How does pointer+length fix a maliciously (mal)formed string?
For each string that enters the system you'll need to check the length against the data you've been given, at which point you may as well have just used a terminating NULL because the result is the same (because the length might be lying to you)
Okay, lets say that you *are* checking the length against the input - what do you do when the length is (uint64_t)-1? At that point you may as well have just used a terminating NULL anyway, because the re
Re: (Score:2)
Not going to do a point by point breakdown of that, but, I dread to think of how expensive it would be to get the length of a string if you're considering uint64 sized strings if it were null-terminated.
Re: (Score:2)
I can think of no valid reason why you'd ever want to have a string as large as 16 exabytes and think it's ever a good idea to have to walk the entire thing to figure out its length.
Re: (Score:2)
Edit: Even if you can evaluate 4 billion characters per second, you're looking at 146 years to calculate the length of that string.
Re: (Score:2)
16 exabytes, actually.
Re: (Score:2)
I feel like there's a fundamental misunderstanding of what ptr+len means.
It means that all of the c api's functions would be based around this idea. So, for example, "get_s()" would return a structure containing the length of the string and a pointer to the first character. It means that "str_concat()" would take in two of these structures and return a new one, etc. (or, some idiomatic c equivalent of these things).
Exactly how do you think that a "malformed string" would get in that lies about its length? I
Re: (Score:2)
And, yes, I realize that you can certainly write code that creates malformed strings. The point is that the standard C library itself would have memory safety built into its own handling of strings.
Re: (Score:2)
Re: (Score:2)
No, he's right. There's nothing he wrote that implies he doesn't know what a null is. There's plenty that you're writing here though that shows you don't understand the problem.
There is absolutely nothing about null termination that's more secure than length+string. It's entirely possible, and indeed a common source of errors, to not put a null at the end of a string, for example:
This will, on C compilers that store everything in the most obvious way (which isn't all of them) print "Hell is a language called C". On others, it'll fill your screen with garbage. And on a handful it'll, by accident, print "Hell" because whatever data is stored after "buffer" happens to be zero by coincidence.
How is this better? It isn't! And it's not a contrived answer either, because strncpy was introduced precisely to prevent buffer overflow errors, and yet nobody noticed between implementation and standardization/release that to use it in such a way that it didn't cause overflows a programmer had to do a, usually redundant, step of sticking a null in the last element of the destination buffer, just to make sure that if the string was too long, it was still a string.
Yes, null termination is so bad that even the experts at ANSI couldn't figure out how to fix it properly. (IIRC it was the OpenBSD people who introduced the world's first safe string copying function as a standard - in the very late nineties, 15-20 years after C first appeared. FIFTEEN FUCKING YEARS. FIFTEEN to SAFELY COPY A STRING. Do you have ANY idea how terrible that is?
I said:
How does pointer+length fix a maliciously (mal)formed string?
And you display how a maliciously malformed string is a problem!
My entire post was on strings entering the system - once it's in and validated you don't have more problems with null-terminated than with ptr_length. Before it's in, you have all the same problems with null-terminated than with ptr+length.
Using ptr+length doesn't buy you anything unless you trust the length, in which case you may as well trust the null-terminator.
That snippet you posted has a bug because the length indicator was wr
Re: (Score:2)
Re: (Score:2)
Heartbleed came about because the incoming string was ptr+length.
There is no security advantage at all in ptr+length. What there is, is a speed advantage. In Delphi it's known as "shortstring", and is an excellent tool for high speed string manipulation where no string will be longer than 255 bytes.
Re: (Score:2)
C was designed to be more of a shorthand for assembly rather than a high level language.
There is no string type in C. The C Standard Library functions that are string-related have to assume that the pointer you pass will be a pointer to a null terminated array. Those Standard Library functions could have been set up so that they accept a length argument... and in fact, some functions do accept/require a length element. strncpy() is one such function.
C is perfectly fine. The C Standard Library could use some
So create standards-compliant functions MickeySoft (Score:4, Informative)
The C Standard added Annex K, Bounds-checking Interfaces [port70.net] in an effort to address this.
Every see all those "sprintf() is deprecated" misleading error messages from Visual Studio? The ones that make you think that functions that are required by the C standard are "deprecated"?
Well, Microsoft on the surface seems to be pushing you to use those "safer" Annex K functions? No, not really. They're pushing you to use Microsoft's bullshit versions. Per the C committee:
Field Experience With Annex K — Bounds Checking Interfaces [open-std.org]
...
Microsoft Visual Studio
Microsoft Visual Studio implements an early version of the APIs. However, the implementation is incomplete and conforms neither to C11 nor to the original TR 24731-1. For example, it doesn't provide the set_constraint_handler_s function but instead defines a _invalid_parameter_handler _set_invalid_parameter_handler(_invalid_parameter_handler) function with similar behavior but a slightly different and incompatible signature. It also doesn't define the abort_handler_s and ignore_handler_s functions, the memset_s function (which isn't part of the TR), or the RSIZE_MAX macro.The Microsoft implementation also doesn't treat overlapping source and destination sequences as runtime-constraint violations and instead has undefined behavior in such cases.
As a result of the numerous deviations from the specification the Microsoft implementation cannot be considered conforming or portable.
So, MickeySoft, just STFU about memory problems when you use them as nothing more than an excuse to push your proprietary version of C on the population.
Re: So create standards-compliant functions Mickey (Score:2)
Microsoft doesnâ(TM)t make a C compiler. VisualC++ is just that a C++ compiler (that just happens to compile some C programs).
This is about MS bugs, not general ones (Score:2)
Why they do not have that under control is puzzling. Well, not really, this is MS, after all.
Re:This is about MS bugs, not general ones (Score:4, Informative)
You seem to be unaware of the scales here: A typical Linux distro will have > 1000 applications. MS does not even make that many. And no, it is not all memory safety. This is an MS issue.
Re: (Score:2)
It's an MS issue, look at the article, MS is fixing the bugs. You can bet your ass they're not fixing other people's bugs. If their API code is not up to dealing with bad applications (intentional or malicious) then it really is their bug. *Most* of the apps with horrible security issues that require immediate fixes on other OSes are running with some level of enhanced privilege. On Windows... who the hell knows, apps run with escalated privileges just because they ask and the user hits yes. That's a real p
MS's Jim Allchin... (Score:3)
Re:MS's Jim Allchin... (Score:5, Insightful)
... didn't he once say that Microsoft addressed the memory security issues in Windows? Maybe 15 years ago?
Microsoft developed and provided all the tools you'd need to avoid the problem, and then apparently never bothered to use them themselves.
Quality Control (Score:2)
They have heard about it and almost completely wiped out Quality AND Control.
This is not new (Score:4, Interesting)
This has been the vast majority of security bugs for 30 years. This is why every new language in the last 20 has sort of automatic memory management. Even C++ has moved in this direction with the vast selection of smart pointers.
There's a reason (Score:2)
Strange then that the various rewrites of Windows and the kernel, and device drivers etc. don't use a memory-safe language. Or that I'm really pushed to name an OS that *wasn't* written in C / C++ and might be something that anyone's heard of except on a tech forum.
Maybe something to do with the fact that - despite what's claimed - memory-safe languages tend to be slower and/or consume more resources in the first place. That's the problem you need to fix - push the memory safety into hardware, so it doesn
Re: (Score:2)
This is mostly a strawman.
None of those languages were ever considered real candidates for OS or driver development, except Rust (which generates the same machine code with safer high-level constructs).
As much as I dislike C, I am fine with it for kernel and driver development. C can be mostly safe IF you pour a lot of human resources to review it. People always assume they are better at things than they actually are... and with C that is more of a problem.
Not all that makes an OS and presents vulnerabiliti
Re: (Score:2)
That there isn't a mainstream, popular, memory-safe language that is suitable for writing an OS (to the point that *anyone* from the entire tech industry has written an OS in it that's mainstream/popular in itself?) is a strawman?
No, that's my exact point.
Any language is an expression of your intention. If your intentions are poorly thought out, planned, described and executed, that's a fault common to all languages and little can fix that (expecting the "grammar" or "vocabulary" of a particular language t
Re: (Score:2)
No, the strawman is pointing to scripting languages like Python and Javascript and saying they won't cut it for writing an OS. Of course, they don't. Who is even suggesting?
Again, I am not arguing against use of C for kernels. I am arguing against using C style programming (trusting humans with transparent memory access) unless it is absolutely warranted.
I am also not getting the sense that you properly tried Rust yet.
https://ruudvanasseldonk.com/2... [ruudvanasseldonk.com]
It does do safer constructs with no extra cost. It does s
They should know (Score:2)
Should (Score:3)
And water is wet .. (Score:2)
I thought Slashdot showcased NEWS for nerds... (Score:2)
How is this news?
More important, WTF has Microsoft done to prevent 70% of those errors? They've plowed an impressive amount of money creating their developer tools division. Couldn't have they shelled out a few more million to design a memory safe language and implemented it upon their VM (CLR)? Why do they perpetuate their OS product on a language (C++) utterly vulnerable and responsible for 70% of those security holes. Yes, C++ is capable of being type safe and memory secure, but apparently most peopl
Re: (Score:2)
the missing null terminator .
"I won't be back..."
-- or --
"Listen, and understand! That Terminator is not out there! It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop... ever, until your program is dead! "
Re: (Score:3)
32GB in my laptop. Chrome is using 600MB and ive done nothing special. It hardly consumes all available ram.
Yeah, but once you OPEN Chrome it'll use 6 GB.
Radical? solution (Score:2)
Either rewrite from scratch, or develop smart auto-migration tools then repair the results.
The auto-migration tools can try to infer "intent of a sane programmer" and put in a whole bunch of additional memory safety checks.
I suppose it could put the memory safety checks in to code in the original language (yuck) or could put them in by migrating the code to the new safer language.
BTW Betrand Meyer has some interesting stuff going on in the area of safe concurrent programs
Re: Radical? solution (Score:2)
"Betrand Meyer has some interesting stuff going on in the area of safe concurrent programs these days, using an extension of Eiffel."
Eiffel is a beautiful language. Man I wish more companies would use it for real work.
Re: (Score:2)
Get off these 50 year old languages?
Onto what? If it's Java then 70% of your issues will be JVM exploits. If it's SQL then 70% of your issues will be SQLI. If it's HTML then 70% of your issues will be XSS. If its $X then 70% of your issues will be $Y, for any value of X in combination with whateer Y goes with it.
Warning: unused parameter (Score:2)
All warnings should still be errors
Your method forms part of a class that implements an interface including a particular parameter, but your implementation of said interface has no need for that parameter. The compiler issues a warning that your method does not use this parameter, and your policy is to treat all warnings as errors. How do you make your method fit the policy?
Re: (Score:2)
A race between two threads that call a language's equivalent of malloc or free can certainly corrupt their shared heap.