Microsoft Open-Sources 'Checked C,' A Safer C Version

An anonymous reader writes from a report via Softpedia: Microsoft has open-sourced Checked C, an extension to the C programming language that brings new features to address a series of security-related issues. As its name hints, Checked C will add checking to C, and more specifically pointer bounds checking. The company hopes to curb the high-number of security bugs such as buffer overruns, out-of-bounds memory accesses, and incorrect type casts, all which would be easier to catch in Checked C. Despite tangible benefits to security, the problem of porting code to Checked C still exists, just like it did when C# or Rust came out, both C alternatives.

Check'em

So they're calling it Checked C, or CC?

Checked, indeed.

Re:Check'em

[93+Escort+Wagon]

There's also a Generalized Checked C - GCC for short.

Re: Check'em

[ememisya]

*lol* First thing that popped into my mind was magic number warning for every pointer. "It says here you just added 4, and it worked?" Well yes, I just reserved that many bytes for that. "Why don't you first give that number a number in the memory, so you can call your numbers from that number?" *turns off magic number for pointers*

Re: Check'em

[93+Escort+Wagon]

Up pops Clippy - "It looks like you're voiding a pointer!"

Re: Check'em

[mysidia]

Up pops Clippy - "It looks like you're voiding a pointer!"

Hey, John, It looks like you want to write some spaghetti code dereferencing Null pointers. Would you like help?

• Get help writing spaghetti code
• Just continue dereferencing null pointers without help

Re: Check'em

[ememisya]

No spaghetti in the code! Also after doing years of Java and checkstyle, dereferencing sounds weird. I mean I get it, it's the value from the memory, not the number to its start, but it just feels like "referring" to a null pointer doesn't it? Maybe it's just me. I'm referring to 50, ohh nothing there which fits the bill, I was dereferencing... maybe it's just the language, you don't delocate a gift box do you? You locate and pick it up. It's also delocated, okay I'm done with this.

Re: Check'em

[Wolfrider]

--Call me when you can successfully compile the Linux kernel on this thing...

Re: Check'em

[ememisya]

C... why do you even variable bro?

Re: Check'em

MS already wrote one...

What a Waste of Time

If strcpy_s is their idea of a safer C I don't want to find out what a whole language like that is.

Re:What a Waste of Time

strcpy_s is part of the C11 standard, and it was a library addition, not a language change.

Re:What a Waste of Time

All these noobs preoccupied with the "security" of libc string function... nobody use the libc string function not because they are insecure, but because they are bad. They are also trivial to implement if you really need them. Anyone that need to process text will build a proper parser.

String are the least important aspect of any programe... except helloworld.c which is all about string and accomplish nothing.

Re:What a Waste of Time

strcpy_s was a Microsoft proposal, in all fairness. Proposed at WG14 meeting in Redmond, 2004 IIRC.

Re:What a Waste of Time

[TemporalBeing]

All these noobs preoccupied with the "security" of libc string function... nobody use the libc string function not because they are insecure, but because they are bad. They are also trivial to implement if you really need them. Anyone that need to process text will build a proper parser.

Except nearly all parsers will use them in some form.

String are the least important aspect of any programe... except helloworld.c which is all about string and accomplish nothing.

If you think string parsing, manipulation is the least important aspect, then it is very obvious you do not actually do any programming any more. Inputs are more and more becoming linked with string parsing, gaining larger and larger influences over RPC APIs since XML and now JSON.

Re: What a Waste of Time

Yo dawg, I hear you like to parse strings!!

Re:What a Waste of Time

[lgw]

Meh, I wrote a functional kernel-mode XML parser used in production for a job a few years back. Didn't use a single library string function, which was the point here. As the GPP said: anyone that needs to process text will build a proper parser.

memcpy is different: it's full of surprisingly complex optimizations. But memcpy_s is fucking stupid.

Re:What a Waste of Time

[TemporalBeing]

Meh, I wrote a functional kernel-mode XML parser used in production for a job a few years back. Didn't use a single library string function, which was the point here. As the GPP said: anyone that needs to process text will build a proper parser.

Well, kernel-mode would prevent you from using something from libc any way...so yeah you don't have to but it's still better to do so when you can; kernel-mode stuff typically provides its own series of functions instead of using standard library stuff so as not to get unwanted dependencies - though that all depends on what you're willing to accept as a kernel writer (some may like to just import libc and provide the necessary hooks to just run it).

memcpy is different: it's full of surprisingly complex optimizations. But memcpy_s is fucking stupid.

all the *_s() functions are stupid. Every time I have to write code for Windows software I have to map numerous functions from _() to (); the _s() just uses it (or something very much like it) behind the scenes any way.

C99 and C11

This won't gain traction until it's compatible with the C99 and C11 standards.

Re:C99 and C11

This won't gain traction until it's compatible with the C99 and C11 standards.

how the heck are you gonna shoehorn this into standard C? We are talking about restricting what the programmer can do, there's NO WAY you can achieve bounds checking behavior without breaking existing C behavior, because "broken" programs with bounds checking problems are "perfectly acceptable" C.

Re:C99 and C11

There's no quotes around perfectly acceptable.

But you are correct, this seems impossible to be compliant with C.

Re:C99 and C11

[wierd_w]

it will never take off, because breaking those rules lets programmers do "neat tricks", which they wont be able to do with type-strict conventions.

when there is an alternative that allows laziness, expect that option to be vastly more popular.

Re:C99 and C11

[Darinbob]

It also needs a very wide variety of back ends. x86, powerpc, arm, cortex, avr, SH, 68K, etc. People doing C are all over the board with parts and not sticking with only Windows.

Re:C99 and C11

[jonwil]

Microsoft have said they are working on a clang/llvm port that supports this so that should cover everything LLVM supports including ARM, MIPS, PPC, SPARC, x86, x86-64 and more. And with the spec being open, it should be possible to build a GCC frontend for this that can take advantage of all the many back-ends GCC has.

Re:C99 and C11

IMHO, they could add things like strncpy, strcpy_s or whatever you want to call it to the standard library and classify the old strcpy as deprecated. Then 10 years from now when you can finally grep any sane codebase and find no insecure functions, they can eliminate them from the standard library in C 2026.

Re:C99 and C11

Those functions already are in the standard library (C99/C11).

Re:C99 and C11

[ChunderDownunder]

I thought visual studio *did* issue deprecation warnings when compiling use of certain 'considered harmful' practices and libraries.

At least that was my experience in maintaining the code of a C hacker who had left the programming team. But not being an expert in the language, I wasn't sure if the compiler was being overly pedantic or whether removing all the compiler warnings might fix the issues we were having or break in new ways!

Re:C99 and C11

[Dutch+Gun]

Visual C++ depreciated a number of fundamentally unsafe C library functions, replacing them with _s versions, does some rudimentary analysis of stack and array safety, and a few other things, if you compile with the Security Lifecycle Development checks.

Re:C99 and C11

> Visual C++ depreciated a number of fundamentally unsafe C library functions

It made them worth less money?

Re:C99 and C11

[Dutch+Gun]

> Visual C++ depreciated a number of fundamentally unsafe C library functions

It made them worth less money?

Laugh it up. Someday you'll get old and C-nile like me.

Re:C99 and C11

This won't gain traction unless Pajeet learns to poo in the loo and use strncpy_s.

Re:C99 and C11

how the heck are you gonna shoehorn this into standard C? We are talking about restricting what the programmer can do, there's NO WAY you can achieve bounds checking behavior without breaking existing C behavior, because "broken" programs with bounds checking problems are "perfectly acceptable" C.

That is a strange statement.
Syntax and functions have been deprecated before. "gets" was deprecated in C11 and "fgets" that has a size limit is supposed to be used instead.

If you want to compile old sources without correcting broken code (Although it can be hard for the compiler to know this, sometimes the bounds have been checked elsewhere for performance reasons.) you use whatever command line parameters the compiler have for C89 or C99 or whatever applies. Otherwise it will generate and error or a warning.

Deprecating the remaining library functions that doesn't have bounds check could be done the same way. The alternatives are already specified in Annex K - Bounds-checking interfaces and there is nothing that prevents a compiler to add a "--force-bounds-check" option and generate errors on any usage of the old functions.

There are also a lot of checking behavior that can be done without deprecating anything old. The compiler is free to generate checks and errors on accessing outside the bounds of an array. The standard specifies that the memory position of variables and elements in a struct is undefined. Code that relies on it is broken and won't work with all compilers.

Re:C99 and C11

[TheRaven64]

In case you haven't noticed, the charter for C2x explicitly includes increasing memory safety as one of the goals. Programs with memory safety errors are already undefined behaviour and have been for as long as C has been a standard.

Re:C99 and C11

That is really the thing, isn't it? Pretty much all of the security issues that pop up with C occurs when programmers writes code that the standard specifically states has undefined behavior.
It's up to the compiler to generate a warning when the code does that.
Unfortunately it is sometimes problematic to check if code accesses an array after the last element.
The standard allows for the compiler to add runtime checks.

I is possible to make compilers that generate very safe code from C, with stack and bounds checking. Programs that rely on undefined behavior won't work, but the standard never guaranteed that they would.

Re:C99 and C11

That is wrong. It might not take off among hobbyists, but MISRA-C is very popular among developers of safety critical applications.
The interesting thing is that "safer" languages never took off in those applications.
Probably because they are only marketed as being safe without actually providing features that are needed for such applications.
Buffer overrun is fairly easy to protect against but to write safe code you also need to be able to show guaranteed runtime and determinable code path.

I guess a lot of higher level languages are ruled out because of that. Garbage collection and exception handling screws things up and makes it so that you can't prove that a function will switch a relay within a specific time or even that the code will execute at all.
When you need to actually sit down and enumerate the possible errors that can occur and how you avoid them it is becomes very expensive to handle abstractions where the language supposedly deals with it implicitly.
It is a lot easier to prove safety if you have an actual code line that you can point at and see that there aren't edge cases where it might fail.

Re:C99 and C11

[silentcoder]

And sometimes, the weird behavior is actually the right behavior - even when compilers disagree. Remember the issue a few years ago when it turns out almost all the sshkeys generated on any debian (or debian-derived) system were highly predictable ? It happened because the random-number generator in openssh was throwing a compiler warning for "considered dangerous" handling of a pointer - except that, in that case, it was a critical part of the entropy feed. Some debian packager wrote a patch to "fix" the code to proper bounded behaviour... and ended up castrating the entropy feeder function.
It no longer threw a warning - it just led to one of the worst security problems in Linux history and took weeks to recover from when it was discovered years later and everybody had to regenerate their keys.

Re:C99 and C11

[cerberusti]

Unfortunately while it includes the fundamentally unsafe ones like gets(), it also deprecates a bunch of functions which are not fundamentally unsafe, such as the simple and super common strcpy (which is just fine if you know there is a null byte within the buffer length, generally because you as the programmer put it there).

The solution they use is also pretty bad, adding a buffer length parameter to the function is useless in practice as it still lets you overflow the buffer by getting this wrong, and it seems most code which would contain a buffer overflow ends up calculating this in a way which ends up passing the wrong buffer length. When combined with how common some of those functions are in existing code (where usage is perfectly safe!), I end up just turning it off by default in my compiler. It is an annoyance for no real gain.

I do not consider those useful warnings as MS implements them. It's like someone with minimal understanding as to why you would want to control your own memory layout who never works on code for an OS other than Windows was asked to fix buffer overflows in C, and came up with the great idea that if you had the programmer specify the length twice they might not screw it up in exactly the same way twice (which they do, in practice it is rare to see the size of the buffer provided correctly if it would have been an error without it, so it fixes very little).

Re:C99 and C11

[UnderCoverPenguin]

It might not take off among hobbyists, but MISRA-C is very popular among developers of safety critical applications.

I would not say "popular", but we do use it.

Actually, "MISRA C" is not a language specification, rather it is a set of "best practices". The document states that the rules there in are guidelines and that it is expected that real projects will need to "violate" 1 or more guidelines to achieve practical, understandable and maintainable code. And that when such "violations" are made, they be documented and properly justified.

Unfortunately, some mangers insist on strict adherence to the MISRA rules. This leads to awkwardly structured and overly complex code as the developers work around the limitations imposed.

In a situation with sane management, we are able to maintain a reasonable balance and produce good, understandable and maintainable code.

Re:C99 and C11

My recollection is that the Debian problem was tied to uncommented use of an uninitialized local (stack) array as PRNG seed. Compiler/purify warning, so the Debian guy commented out use of the array _after_ communication with an openSSL developer. The problem is the openSSL guys relied on something that is maybe safe, maybe not, but - and here's the important part - they didn't write down what they were trying to accomplish.

I looked at, for our product, the line the Debian guy touched. Oh, you're seeding with all 0s or something, there is a memset, right? No, wait a minute, you're seeding with ... umm ... what is there? It's on the stack, so maybe it's random, maybe it's always "pyright (c) 2014\0\0\0" Hmm, who calls this function...

Re:C99 and C11

[david_thornley]

IIRC, accessing memory outside of a restricted area is undefined behavior, meaning that an implementation can do anything and remain conforming, and that a future standard could define some behavior without changing the set of valid C programs.

Re:C99 and C11

[snadrus]

That's broken & unportable:
        Q: How do you port it to a safe-access-only language that zeroes allocations?
        A: By using an entropy source (random number generator).
Reliance on undefined behavior is asking for failure. Running code that does so is a security risk.

Re:C99 and C11

[luis_a_espinal]

This won't gain traction until it's compatible with the C99 and C11 standards.

There is a whole world of development out there that exists outside of such circles. It is obvious that the target market is somewhere else (Windows-specific systems development for instance.)

Re:C99 and C11

[luis_a_espinal]

There's no quotes around perfectly acceptable.

But you are correct, this seems impossible to be compliant with C.

Obviously, it is not trying to. In fact, it is trying to be semantically different from C in very specific areas, for very specific reasons and for a very specific audience.

checked C

What a joke. If Microsoft was serious about this they should have done it...oh I don't know, maybe 25 years ago. You know, back when people were still writing applications in C, maybe?

Morons.

Re:checked C

[zakeria]

C is still one of the most widely used programming languages.

Re:checked C

Totally! Nobody uses C anymore, you cant write apps in C you have to use Swiftly and Javascriptify with Node.js and spin up a cloud on Azure with AWS so you can deploy your Snap to your iPhone running Android N!

Re:checked C

[bloodhawk]

Moron last I checked people ARE still writing programs in C ever day and MS DID do something about this 25 years ago and repeatedly since then. They pushed VB (that was shit) and C#, C# is actually pretty decent however they really haven't taken off cross platform.

Re:checked C

What a joke. If Microsoft was serious about this they should have done it...oh I don't know, maybe 25 years ago. You know, back when people were still writing applications in C, maybe?

Morons.

Yeah, none of this is written in C.

Re:checked C

[zakeria]

"you cant write apps in C"... Yes you can!

Re:checked C

[angel'o'sphere]

Depends how you define "widely".
There are so many languages that are "more" used than C, I really wonder if I would put C into the "widely used" category.

Re:checked C

[halivar]

By "so many" you mean... 1?
http://spectrum.ieee.org/compu...

Re:checked C

[angel'o'sphere]

The link does not show how widely languages are used :D
Perhaps you should read your link?

Re:checked C

[zakeria]

Are you serious? C year in year out tops the top 3 of the most used programming languages in existence!

Re:checked C

[EndlessNameless]

In his defense, if it's still popular today and older than the others on the list, it is probably the most widespread.

Popularity + time = widespread use

Re:checked C

[angel'o'sphere]

Most people that once used C and still stick to "close to the metal" use now C++.
The rest of the world moved on to Java/Scala and .Net based languages like C# or managed C++.

"Simple C" is only still used in very restricted embedded devices.

C is simply not productive enough for a programmer when you have more productive languages available.

Productive as in features by amount of lines of code and speed how you implement those features.

If you forced me to program in C you had to agree that every feature that I produce in C++ in a day or in Java in half a day, will cost you 3 or 4 days in coding with C. And likely you had to pay me an extra per hour, as I hate it to work in low level languages that prevent me from coding as fast as I can think.

Re:checked C

[angel'o'sphere]

Most people that once used C and still stick to "close to the metal" now use C++.
The rest of the world moved on to Java/Scala and .Net based languages like C# or managed C++.

"Simple C" is only still used in very restricted embedded devices (restricted as in very low memory footprint etc.).

C is simply not productive enough for a programmer when you have more productive languages available.

Productive as in features by amount of lines of code and speed how you implement those features.

If you forced me to program in C you had to agree that every feature that I produce in C++ in a day or in Java in half a day, will cost you 3 or 4 days in coding with C. And likely you had to pay me an extra per hour, as I hate it to work in low level languages that prevent me from coding as fast as I can think.

Re:checked C

[angel'o'sphere]

Yes I'm serious.
Neither is it amoung the top 3, regardless which metric you use: lines of code produced per year, numbers of developers sought for projects, amount of money earned or payed in using it.

It usually barely makes rank 5 or something with a "market share" of 10% to 15%, with Java at probably 30%, C# the same, C++ slightly higher than C and PHP and Python in front of C. That puts C down to: well as I said in the intro: 10% - 15%.

And that number hardly can be called "widely used", sorry. If you want to say: C still belongs to the top 5 important programming languages: says so. So is german as a natural language, but that does not make german a widely used language. I would wager 75% of the planet does not speak german. Equivalently over 75% of all programmers don't "speak C" ...

Of course you can invent your own metric: amount of devices sold on the planet programmed in C ... perhaps the amount indeed is more than the amount of SmartPhones programmed in Java (Android) or Objective-C/C++/Swift ... if you would argue: a car likely has 20 or 25 computing devices and most are programmed in C and thus with something like 300 million cars sold per year we had something like 6 billion little devices programmed in C ... you had a "kind of a point". However a billion smart phones per year with 100 Apps on them each ... not programmed in C ...

Re:checked C

[geoskd]

Neither is it among the top 3, regardless which metric you use: lines of code produced per year, numbers of developers sought for projects, amount of money earned or payed in using it.

I'm sorry, but you're just plain wrong. Most language popularity lists use existing jobs and job postings that require language XYZ to determine how popular they are. Most of the remaining lists that use surveys instead, miss entire blocks of programmers who are writing embedded code because they are not classified as programmers, but embedded engineers, FPGA designers, etc... Some of the better lists do manage to include Firmware engineers in their surveys, but by and large they miss the embedded space altogether.

That is a critical failure because there are as many lines of code written for embedded systems as there are for all of the remainder of the software realm combined. Embedded code is in everything, and all of it is C. It is so ubiquitous in the embedded space that a job listing for an embedded engineer will not even specify the C language as a requirement. If you know even a small fraction of the other requirements, you will know C. For example, the Freescale line of coldfire processors all use a tool called codewarrior. This requirement is what will show up on the job posting. The fact that codewarrior uses only C is not mentioned, nor does it even need to be mentioned in the job posting. If you know codewarrior, you know C. C has been ported to every instruction set that has ever been invented, and there are more C compilers in the world than there are Java, C++ and Python compilers / interpreters combined.

The IEEE keeps a list of the top languages, and their list includes the embedded space which is ignored by these other lists. C and C++ take the #2 and #3 spots, which accurately reflects the underlying reality.

Re:checked C

[halivar]

"Simple C" is only still used in very restricted embedded devices.

That's not a small userbase. That's a frikkin' yuuuuge userbase. In fact, this alone probably puts in on top. Your car is programmed in C. Your HVAC is programmed in C. Your gas pumps are programmed in C.

Also, let's not forget that the computer your typing on? Its kernel is written in C. Regardless of your OS is or what its supporting libraries are written in (C++ for Windows, Objective-C for MacOS, and Linux uses you-can-guess). The kernel is in C.

C is simply not productive enough for a programmer when you have more productive languages available.

Productive as in features by amount of lines of code and speed how you implement those features.

If we count productivity in the size of the compiled binaries, something embedded systems and device drivers care about, then C is the most productive solution.

Re:checked C

[angel'o'sphere]

That's not a small userbase. That's a frikkin' yuuuuge userbase. In fact, this alone probably puts in on top. Your car is programmed in C. Your HVAC is programmed in C. Your gas pumps are programmed in C.
Or in C++ as I pointed out.
And no, that is not a userbase. We are talking about programmers, or lines of code or devices sold.

Its kernel is written in C.
And? How many kernels do exist? 100? I can count less than 10 I fear ... and I would not wonder if some are written in C++ and not in C ...

If we count productivity in the size of the compiled binaries, something embedded systems and device drivers care about, then C is the most productive solution.
Wow, lucky that you are not in the software business.

Productivity is "cost per unit sold", plain and simple. There is no significant difference in the size of binaries for C, Pascal, Ada, C++ or any other language that compiles to machine code. Where did you learn programming that you belie C makes smaller binaries?

Cost per unit sold, implies if you can code faster and start selling earlier you make your money earlier, and probably more money. C does not support that. It is to low level.

Re:checked C

[angel'o'sphere]

and all of it is C.
That is wrong.
All embedded systems I was involved in the last 10 years used: C++

And still half of all embedded systems build in Avionics use: Ada

For example, the Freescale line of coldfire processors all use a tool called codewarrior.
You clearly have no idea what you are talking about.
Codewarrior is an IDE!!! It uses what ever compiler you put behind it. And usually that is a variation of GCC.
Codewarrior is an IDE that was originally written by Metroworks for MAC OS, an IDE focused solely around C++. The fastes C++ compiler for Macs around that time and later acquired by Freescale.
http://www.nxp.com/products/so...
Scroll down to: "Unlimited C/C++/EC++/cC++ Compiler and Debugger for HCS12(X) derivatives and XGATE module "

C has been ported to every instruction set that has ever been invented, and there are more C compilers in the world than there are Java, C++ and Python compilers / interpreters combined.
How is that relevant to the points I made? (If it is even true)

The IEEE keeps a list of the top languages, and their list includes the embedded space which is ignored by these other lists. C and C++ take the #2 and #3 spots, which accurately reflects the underlying reality.
For embedded programming!!! Yes. Not for business code. Not for web pages ... not for smart watches, not for iPads, iPhones, Samsung Galaxies or any other Android device.

If one hires a developer because he has used Codewarrior and ditches one who used Code Composer Studio instead: he is an idiot.

If I had to hire an embedded programmer I would insist on seeing some C/C++ code and would not care what kind of tools he used.

Re:checked C

[cerberusti]

The long term website tracking popularity (as well as you can do that for programming languages) is at http://www.tiobe.com/tiobe_index

C is pretty much always 1 or 2 in the list, and notice how it has twice the ranking of the third in the list (C++... which owes much of its popularity to the ability to compile most C programs). C is a very popular language, and is pretty much the language of choice whenever you need to do something novel, involving hardware, or care about execution time. It is not usually the best choice for a big CMS or other tasks where there are domain specific languages available, but that is mostly due to staffing concerns.

It tends not to have a ton of people in any given industry using it as it requires a greater understanding as to how the computer operates, which means you do not train decent C programmers in a few months like you do PHP or such (and you do not throw it at academics like MATLAB). It takes years to get good, and even then it turns out a large number of people will struggle with memory management no matter how hard they try.

If it takes you 3 or 4 times as long to write something in C, that is a good indication you should not be writing C. In contrast it is my favorite language and I am far more productive in it than Java, PHP, etc. (not that I use it all the time, I am well aware that if I write something in C I will likely need to continue maintaining it, so I usually need a reason to do so).

Re:checked C

[angel'o'sphere]

I never noticed C under the first three on tiobe, but I'm not tracking it constantly. Most of the time it was behind Java, C#, PHP and Python.

(C++... which owes much of its popularity to the ability to compile most C programs)
That is nonsense.
C++ has its popularity because it is the better C. And: it does by far not compile old school C code.
Then again n current tiobe: C has barely HALF of the rating of Java.

So it simply proves the point I made in the first post in this article: with 12 points from 100, it is a bit hm ... how to put that in english? Anyway, it might be second highest ranked, but it is just barely over ten percent. So all other languages together have 90% ... not really that impressive.

Then again the tiobe index is just an index, pretty meaningless.

Third line of the page you link: About 10 years ago, the first 8 language covered 80% of the market, now this is reduced to 55%.

So together C and Java barely cover 32% of the market ... and people here come up and claim: "all embedded is done in C!" And we sell so many devices, C is the leader. No it is not :D

The idea that tiobe rates JavaScript at 2.5% makes no sense at all, btw. 50% of the Job requests I get are for JavaScript. Modern Web FrontEnds are basically all JavaScript using AngularJS, or Sencha or other tools.

C# is similar popular than Java, e.g. in the UK in banking environments, also in France and noteable in Germany, too.

Putting it at barely 4% in that tiobe index makes no sense at all.

No idea what the index tries to express. "Share of lines of code or features implemented" in said language it certainly is not.

Re:checked C

[david_thornley]

Slight correction from a guy who sent quite a few dollars to Metrowerks in the 90s:

Codewarrior was originally a C environment, and C++ was added later, in fairly slow steps towards "standard" C++ (which meant ARM (Annotated Reference Manual) conformance until the ISO standard took shape).

Re:checked C

[zakeria]

C is used more than C++ get over it

Re:checked C

[david_thornley]

C++ will not compile K&R C. It's fairly compatible with C90, the first C standard, in that it's easy to change a C program to compile in C++.

Re:checked C

By "so many" you mean... 1?

The problem with language rankings is that there are many ranking tables to choose from. C ranks second in the TIOBE and IEEE Spectrum indexes, but it ranks lower than second on the RedMonk, PYPL, and Trendy Skills indexes.

So who's right? Probably none of them.

Re:checked C

[cerberusti]

It has never been lower than position 2. It has been first or second on that list since they started tracking it, as you can see if you scroll down a little bit for the chart over time (which goes back 15 years on that page).

If all of your jobs involve javascript, that likely makes you a web developer. Using some web frameworks to put together websites is about as far away as you can get from systems programming, so of course nobody is asking you to write a bunch of C code. It is not your profession, and the results are likely to be horrific.

The vast majority of important code is written in C, including new projects today. It dominates few industries, but is present in almost all of them (because when you run into a problem which needs C you have few other options, none of them easier). C# is pretty popular for general business programming, matlab is popular for scientific stuff, I still see a fair amount of cobol for big financial systems, php and like half a dozen others are popular for web development, etc. The thing is they have pretty narrow niches, so while they may be dominant in one industry, outside of that you basically do not see it.

I never see anyone write javascript for a big financial program (except maybe for the front end), write data analysis code for an experiment in C#, or write their website backend in matlab. I do however see financial programmers who think the world is entirely Java, C# and SAP, academics who think matlab can solve anything, and web developers who think PHP and Javascript are all you will ever need.

When your problem requires new hardware of any sort, you care about speed, or there is the possibility that someone may be harmed if the program does not work correctly, the language of choice is usually C.

I will also throw out there that I do a lot of code review, and the C programs I am sent have by far the lowest defect rate of what I review (PHP being the worst.)

Re:checked C

[angel'o'sphere]

The vast majority of important code is written in C
Yes, that are lots of people claiming.

No one showed any evidence.

I will also throw out there that I do a lot of code review, and the C programs I am sent have by far the lowest defect rate of what I review
I did not do that for a while. However most C programs I have seen, especially embedded, have the highest defect rates asumeable. With code only executed from rom and ram in the size of 4 or 16 bytes not kB or MB ... bytes, it seems programmers don't care abut pointer errors as they "write" to nowhere.

Sorry.

As I said before a good metric would be lines of code per year, or "features" per year implemented in C.

Look again: even with a rank of 2, and "points of 15 of 100" what ever the points mean, all other languages together are 7 times as "important" than C.

So: no. The vast majority of (important?) code is not written in C but other languages. It is not even a simple majority when Java is in front of it. As more or less an equal amount of code is produced in C#, the graphs are definitely wrong.

Regarding your claim about C industries: sorry. The world has moved on. 75% - 90% where you only see C: is done in C++, since decades.

that someone may be harmed if the program does not work correctly, the language of choice is usually C.
No it is not. It is the language that suits the job. C it is only in rare cases. C is simply to expensive. why would one pay for 5 experts, programming in C, doing code reviews having a process to prevent "harm" when the same result can be achieved with 3 C++ experts or 2 Ada experts?

Hint: go to job offering web sites. Just check the demand for programmers/software engineers. C is very far down the list.

write data analysis code for an experiment in C#,
Then you are reading the wrong newspapers or job sites. In London this are high seeked (sought?) programmers with daily rates in the 600 pound range.

I do however see financial programmers who think the world is entirely Java, C# and SAP In the financial world they are right.

Re:checked C

[angel'o'sphere]

As I said, I doubt it :D
And no one has numbers anyway, so a discurse is mood.

Re:checked C

[angel'o'sphere]

I considered to by Metroworks Codewarrior. But sticked with ThinkC (later Symantec C/C++).
ThinkC was a C++ subset with single inheritance and no templates, Mac only ofc. Symantec kept it a while alife. Not sure when they discontinued it. However ThinkC came with an application framework making it extremely easy to develop for Macs without knowing the Mac OS APIs.

Did not even remember that meaning of ARM ;D

Re:checked C

[cerberusti]

You seem to be stuck in the distant past with your opinion of C.

Yes, it entirely sucked when people tried to use it for general applications as a default language (same with C++, maybe even more so there). It is not at all an appropriate language when you are trying to deal with a ton of general business code implemented by a large team of varying quality (Java and C# do very well here). It is not really appropriate for someone who wants to learn to code as quickly as possible, nor does it make a particularly good prototyping language.

I think a few people already pointed you to all of the public linux stuff. MS also writes the kernel of Windows in C, all device drivers... also I did a bit of programming for industrial hardware, all of it was C. There are a few other areas where it ends up being very useful or nearly required, such as dealing with applications using wildly different hardware, a task which is at the limits of what a modern computer can do, or if more speed is always good (the last time I wrote a significant amount of assembly was actually a financial project, you would be surprised at where you end up needing the bag of tricks you can use with C and assembly to greatly speed up a process).

You hire expensive senior programmers by reference generally, not by posting on monster.com or whatever (unless you are really out of options).

C++ is not common in life critical software, maybe ADA (although I have never seen it, I also do not do government work). You will be applying KISS if you are designing that kind of system, in which case a large and complicated piece created externally is right out, so no C++ compiler. The fact that C has such a simple compiler is an important consideration.

Re:checked C

[angel'o'sphere]

Most of your post makes sense.
However:
You seem to be stuck in the distant past with your opinion of C.
Nope, certainly not.

My point is exactly the opposite. The /. crowd is stuck in the past because they don't realize that the majourity of software is not developed in C. Regardless what link they sent and what ranking system is used: all the other languages have a combined rank/share of more than 80%.

Bringing up important stuff like kernels is irrelevant, as that was not the point I made (and even kernels are partly written in C++)

You hire expensive senior programmers by reference generally, not by posting on monster.com or whatever (unless you are really out of options).
Unfortunately not in Germany (rest of Europe, too?) , but I'm freelancer/self employed so that is a different matter anyway.

To rephrase my point: If a language is barely second or third with points of about 12 of 100, and has another language in front with points of about 25 of 100, then obviously the other languages under consideration/ranking together have about 88 points. So: C has a bout half of what the leader has and only 1/8th (roughly) what all languages together have.

So, with other words, learning C to get an important well payed job ... probably not a good idea. Learning C because you find it interesting: better idea. Bragging somewhere that you can C (who actually can't??? Everyone I know can at least a little bit C, and everyone my age certainly can.) and that is so super important 'because ...' not so an good idea either :D

As I said in other posts: all embedded projects where I had code in my hands (for what ever reason) where done in C++. The only C project was somewhere around 2002/2003 for KSB, world wide leading manufacture for pumps. But there I only was requirements engineer and "coach".

Bottom line in most areas it is much more important to understand the requirements than the language you (have to) use.

prevents casts to incorrect type? hahahah.

Seriously, watching things compile, i see the CC complain about that all the damned time.

As far as I can tell, developers consider the conservation of their precious time much more important than properly checking their variable types, or assuring type casts are content appropriate.

Given this simple fact, a language that would DARE to enforce sanity on such a target demographic is sure to be short lived.

I mean, the GALL! Forcing poor developers to write better quality code and avoid bad practices! Shame on you Microsoft!

Re:prevents casts to incorrect type? hahahah.

It baffles me the sheer number of warnings some projects generate on compilation. Sure many aren't relevant, but some are, and if your code generates bucketloads the chances of missing the important ones is high. And really: how hard is it to do simple things like putting extra braces around if statements where you really do want to do an assignment, properly casting things (signed -> unsigned for example), or typing (void) foo; when you really want to include argument foo in the function arguments even though it isn't used... yet. Personally I don't consider my code complete until it compiles with no warnings under -Wall at least.

That said... I think people need to accept that C just is what it is, quirks and all. If you want strong type checking etc then there are plenty of alternatives to choose from.

Hasn't this been done before?

[God+of+Lemmings]

I seem to recall long long ago someone else made a C compiler that did this.

Re:Hasn't this been done before?

[ChunderDownunder]

There was an effort at Cornell University to produce 'Cyclone'. It required a modifications to gcc.

If MS made this a 1st class citizen of Visual Studio it might gain some traction. That it's using LLVM sounds intriguing - might MS be switching to the platform for its compiler suite?

Re:Hasn't this been done before?

[Rudisaurus]

If MS made this a 1st class citizen of Visual Studio it might gain some traction.

The same Visual Studio that phones home with telemetry about what you're coding and how well it's going? Yeah, thanks very much but no thanks.

I mean, the irony is hilarious: Microsoft (MICROSOFT!) being concerned about language safety issues!

Re:Hasn't this been done before?

[TheRaven64]

These changes are, indeed, very similar to Cyclone. The main difference is that they're not an all or nothing approach. You can still do unsafe things in Checked C, you will just be able to audit your code to see where you do them and gradually apply them. The lack of an incremental adoption path was probably what killed Cyclone.

As to Microsoft using LLVM, current versions of Visual Studio support all four combinations of the MS and Clang front ends and the MS and LLVM back ends. I don't think that their proprietary back end is going away any time soon (though I wouldn't be too surprised if they switched to Clang on the front end exclusively).

Re:Hasn't this been done before?

>The same Visual Studio that phones home with telemetry about what you're coding and how well it's going?

e.e

1) it's easy to disable
2) it's only in a dev preview
3) That feature is being removed before it goes to release
4) It was debugging telemetry

Yeah, yeah. Bad name on their part. Shitty of them to not document it. Shitty of them to have no compiler option to not insert it. But it wasn't spying on you. Grow up.

Re:Hasn't this been done before?

Here it is: Fail-Safe C. Also, GCC now has an option -fsanitize=address , which basically does 99% the same thing.

Port the Linux kernel to Checked C now!!

That swiss cheese needs to be plugged ASAP.

Microsoft Checked C

[MrKaos]

#include telemetry.h

Re:Microsoft Checked C

[wierd_w]

no no no.

MS wouldnt put telemetry as a header. You can choose not to include, or worse, edit, header files.

no no. The CC will hard link "telemetry.o" to every project at compile time, and wont have any switches to disable that behavior. Don't worry, they use digital signature checking to be sure that telemetry.o is the object file it expects it to be. Cant have untrusted objects in the linking phase now.

Re:Microsoft Checked C

I know you are just trolling/trying to be funny but It is open sourced language not a compiler, you don't have to use a Microsoft compiler to implement.

Re:Microsoft Checked C

[wierd_w]

Oh hush AC, Let us have our fun. ;P

Re:Microsoft Checked C

Your parties must totally off the hook!

Re:Microsoft Checked C

[MrKaos]

You are right, my C is a bit rusty. They would probably strip the binary as well find a way to fail compiles if it wasn't in there.

Re:Microsoft Checked C

[MrKaos]

The compiler is named

eee

Some old GCC?

[snikulin]

Long long time ago (~2000?) I used GCC's bounds checking feature.
If I recall correctly, I had to compile my own GCC because it was the only way to enable it.

Re:Some old GCC?

Bounds checking patches for gcc 4.0.4 http://williambader.com/bounds/example.html

Re:Some old GCC?

Long long time ago (~2000?) I used GCC's bounds checking feature.
If I recall correctly, I had to compile my own GCC because it was the only way to enable it.

long long? ~2000 should fit in a short. :p

Many existing alternatives

There have been many such alternatives around for a number of years. These include gcc and valgrind. And any decent C-library that supplies an "array" type and a "string" and a malloc wrapper can achieve the same ends without compromise.

C? C++? C#? Checked C?

[Yvan256]

That's it, I've had enough. I'm going back to Turbo Pascal.

Re:C? C++? C#? Checked C?

Be very grateful they didn't use the check Unicode character. Though that would have been easier to search for. Sigh.

Re:C? C++? C#? Checked C?

Indeed. It seems the software world is hell bent on giving itself ever worse grades. B, C, D, F, etc.

Re:C? C++? C#? Checked C?

I agree. Free Pascal is a good open source compiler for Object Pascal. Pascal is a better C than C and Object Pascal is a better C++ than C++.

Re:C? C++? C#? Checked C?

Why you forget Objective C and Objective C++?

(Cringing while I wait for someone to correct me on the ones I forgot)

good news! Linus Torvalds will do a safer kernel

Now Linux Torvalds will be able to do a serious linux kernel LOL

You CAN use a bounded pointer, or unbounded

[raymorris]

They allow for both by introducing a "bounded pointer" type in addition to the old style pointer. If you want to, you can still create a buffer overflow using a char *. Or, you can choose to a char 256* and access to it won't overflow 256, it'll generate an error.

Re:You CAN use a bounded pointer, or unbounded

[Uecker]

A bounded pointer-type already exists: char (*ptr)[256];

Checking C

Years ago, someone (perhaps Philippe Khan of Turbo Pascal) said 'C is a disease and the Americans are spreading it.'
Maybe he was referring to these security issues.

It's not C. It's !

whatever is compatible with asm dude.
:

Ambiguity

[Livius]

I'm confused - is Microsoft reinventing C++ or reinventing Java? I can't tell which decade from the last millennium they're trying to drag us back to. (Maybe as far back as when they were considered a reputable software company?)

Re:Ambiguity

neither, C++ doesn't solve this problem and Java and .NET C# while great and do solve the problem they aren't usable in many environments where low level C is needed not pigs running on top of interpreters.

Re:Ambiguity

Ada and Cyclone however do already solve this problem. I've also found that every new version of clang, while never completely solving this problem, is detecting more and more code defects in my codebase. Slow as fuck compared to pcc or kencc, but the diagnostic quality is worth the much slower compile times.

Re:Ambiguity

[david_thornley]

C++ solves a lot of safety problems with C. Smart pointers can deal with most dynamic memory problems, and using the C++ string and container classes you can avoid most buffer overflow problems.

Re:Ambiguity

Hillary Clinton does not approve of your reasoning. She says all people are potential terrorists and her thugs at NSA must be able to hack your software.

New security-related features - new in 2004

[khz6955]

"Microsoft has open-sourced Checked C, an extension to the C programming language that brings new features to address a series of security-related issues"

Bounds checking for C and C++ Nov 2004

Those...

Those that do not understand Rust are doomed to reinvent it. Badly.

Re:Those...

[Ash-Fox]

Those that do not understand Rust are doomed to reinvent it. Badly.

Is the Rust language low level enough to know what the machine code will be produced from the language at a glance?

Re:Those...

[martyros]

Is the Rust language low level enough to know what the machine code will be produced from the language at a glance?

You apparently haven't looked at the output of C compilers recently. The output is less and less predictable from looking at the C code.

The biggest issue with C at the moment isn't actually bounds-checking (although that would be nice) -- it's the fact that it's a minefield of constructs which look perfectly sensible but are in fact "undefined", in which case the compiler is authorized to do absolutely anything it wants. For instance, the C standard explicitly states that all pointers point to valid memory, and that having a pointer that points into non-valid memory is "undefined". This means on super-high-performance loops the compiler can make simplifying assumptions to get 5% speed increases; but it also makes it very difficult to write security checks that the complier won't just optimize out without telling you.

Re:Those...

[Ash-Fox]

You apparently haven't looked at the output of C compilers recently.

I tend to avoid C++ compilers that are branded as 'C compilers' for C and the C compilers I play with are pretty sane with a couple of switches.

Re:Those...

[TemporalBeing]

For instance, the C standard explicitly states that all pointers point to valid memory, and that having a pointer that points into non-valid memory is "undefined".

Define an "invalid pointer" value then?

Among the many uses of C is OS and Boot Loader programming, and in those cases the value "0" is still a valid memory address to use. IOW, there are some areas of programming where there is no invalid value. therefore you can't define what is non-valid and what is valid, therefore it is undefined. These areas are also a primary target of operation for the C Programming Language.

For the C language itself, there probably isn't really anything that could be improved in that manner. Most of what people can validly complain about as being "undefined" is not part of the C language but of the libC library, and in that case it basically came down to history and vendors being unable to agree upon a standard result because they already had their implementations, didn't want to significantly change them, and saw some value in how they were doing it that they didn't want to give up or change. Some string and memory functions fall exactly into this position.

Now, what would be extremely helpful is the incorporation of functionality that could help with tracking memory chunks and determining whether they were allocated by a given program or library instance, on the stack or the heap of said instance, and be able to report the size of the allocation. This would enable programs to be able to make simple queries in order to avoid buffer overflows.

And calls like the strcpy_s() are stupid when the solution really is strncpy(), which includes a parameter to define how large the output buffer is.

Re:Those...

Among the many uses of C is OS and Boot Loader programming, and in those cases the value "0" is still a valid memory address to use. IOW, there are some areas of programming where there is no invalid value. therefore you can't define what is non-valid and what is valid, therefore it is undefined. These areas are also a primary target of operation for the C Programming Language

The issue isn't that the behavior depends on the system it is running on. The issue is that modern compilers will aggressively optimize out any code that provably lead to undefined behavior, even when the programmer thinks he knows how the resulting code will run on his target system.

A better example of this is strict aliasing. Compilers have recently began taking advantage of the strict aliasing rules in the C standard, which has lead to a lot of previously working (but technically undefined) code recently breaking.

Stealing an example from the article linked above, the following code...

#include

typedef struct { int i1; } s1;
typedef struct { int i2; } s2;

void f(s1 *s1p, s2 *s2p) {
    s1p->i1 = 2;
    s2p->i2 = 3;
    printf("%i\n", s1p->i1);
}

int main() {
    s1 s = {.i1 = 1};
    f(&s, (s2 *)&s);
}
... leads to the following results:

$ gcc-5 effective.c ; ./a.out
3
$ gcc-5 -O2 effective.c ; ./a.out
2
$ clang-3.8 effective.c ; ./a.out
3
$ clang-3.8 -O2 effective.c ; ./a.out
3

Note the result for GCC with -O2.

Solve the problem in hardware, have done with it.

[GrahamCox]

The CPU just needs to set aside an area of memory exclusively for return addresses, and make that protected. No more security issues, buffer overruns, execution of arbitrary code. The real problem is that return addresses are mingled with other data. This should be solved at the hardware level, and AFAICS, it could be done totally transparently to code, even binaries.

NSA approved?

Just asking.

Fix Visual Studio first

Please fix Visual Studio C99 & C11 compliance first before extending the language.

a pointer to VLA is a bounded pointer type

[Uecker]

The funny little known fact is: C99 already has a bounded pointer type: A pointer to a variable-length array.

    void foo(int N, char (*ptr)[N])
    {
        (*ptr)[N + 3] = 10; // undefined behaviour
    }

Using the undefined-behaviour sanitizer, you can also have the compiler add automatic checks.

Re:a pointer to VLA is a bounded pointer type

A pointer to a variable-length array.

VLAs are those things that look like normal, stack allocated arrays. With the "feature" that it is undefined wether they will overflow the stack if made to large or if they involve hidden malloc/free calls and leak when used with longjmp. Adding the overhead of malloc/free to every array just to enable bounds checking is something straight out of Java - which is one of the better alternatives if you give absolutely no fuck about performance or dynamic memory management as is the case when you use VLAs.

Re:a pointer to VLA is a bounded pointer type

I like VLA's, the nice thing about then is, you make them always just as big as you think you need. If you biff it, the code fails hard during testing.

As opposed to something like

      int buf[ZOOT_MAX] // lol: hope this will always be enough

Re:a pointer to VLA is a bounded pointer type

if you give absolutely no fuck about performance or dynamic memory management as is the case when you use VLAs.

Or you just use VLA and ignore the hidden malloc. It's not going to swallow more memory than Javas garbage collector.
If you use longjmps you are either screwing up massively or you are doing something that Java can't do anyway.

Re:a pointer to VLA is a bounded pointer type

Can I? At least with GCC 5.3.1 and libubsan it doesn't work.

Re:a pointer to VLA is a bounded pointer type

Don't c-exception libraries use longjmp? I know lua does.

Re:a pointer to VLA is a bounded pointer type

Or you just use VLA and ignore the hidden malloc.

Both valgrind (callgrind ) and perf agree that my code already wastes too much time in malloc and to a lesser extend free. No point in making that worse when a custom stack allocator would give me portable guarantees and performance.

If you use longjmps you are either screwing up massively or you are doing something that Java can't do anyway.

Some libraries use longjmp to implement exception style error handling, while not my first choice with C I do have dependencies. It also is something Java could do. With a fixed size array I do not have to care, with an explicit allocation I can at least keep track of the memory and clean up after the fact. With VLAs I will leak.

The first time I read about VLAs I was just thinking "WAT?", potentially slow as hell ( or malloc ), non portable behavior, incompatible with several standard library features. If I want that I use Java.

Re:a pointer to VLA is a bounded pointer type

You may note that you just used a VLA since ZOOT_MAX is not a compile time constant. //LOL

C is a rather explicit language, that C99 disguises implicit calls to malloc/free as arrays and then makes it impossible for a developer to cleanly recover the memory in an error case is just retarded.

Re:a pointer to VLA is a bounded pointer type

[Uecker]

Sorry, a VLA has nothing to do with stack vs malloc. This is a common misconception. The pointer in my example could refer to memory on the heap.

Re:a pointer to VLA is a bounded pointer type

[cerberusti]

All caps by many conventions means a precompiler define, this is a common way to set static buffer sizes in case they must change later.

Re:a pointer to VLA is a bounded pointer type

Uh, that is kind of my point? The array in your example is stored wherever your C compiler decides Variable Length Arrays should be allocated. That can involve a costly hidden call to malloc/free or a possible overflow of your stack pointer.

Re:a pointer to VLA is a bounded pointer type

I am well aware of the convention. Blame Uecker for using an upper case N as size parameter in his VLA example, showing us that programmers cannot be trusted with even simple conventions.

More an edge case: Some people use static const int for compile time constants, at least according to stackoverflow this also causes VLAs.

Re:a pointer to VLA is a bounded pointer type

[Uecker]

Which has nothing to do with VLAs. A regular array (or any other data struture) can also be allocated on the stack or on the heap. In both cases this can decided by the programmer (by placing the array on the stack or on the heap). I don't know of any C compiler which would allocate a VLA defined as local variable (on the stack) using malloc behind the back of the programmer.

Nope

These are runtime checks and therefore expensive. C is intended to be a language for writing low level code that should not be encumbered with the expense of additional runtime checks. Use a different language if you need training wheels.

That reserves memory, it doesn't add bounds checki

[raymorris]

That declares that ptr is a pointer to a character, and reserves memory at that address for 256 characters. It does NOT prevent one from accessing ptr[312] . (Though a compiler MIGHT catch it if 312 were a literal.) By the C standard, the behavior when attempting to access ptr[312] is undefined, put it would normaly access whatever happens to be at a memory address 66 characters past the end of the ptr array.

The Microsoft extension adds a type with run-time bounds checking, so trying to access ptr[312] will always give an array-out-of-bounds erroe.

Re:Solve the problem in hardware, have done with i

[sdw]

That's the right direction. Apple already has a pretty good version of it. (See below.)

Bounds checking C like this now is weak and very, very late:
https://gcc.gnu.org/ml/gcc/199...
https://www.lrde.epita.fr/~aki...
http://blog.qt.io/blog/2013/04...
http://valgrind.org/docs/manua...
https://en.wikipedia.org/wiki/...

But the grand champion memory debugger is the Mac OS X standard malloc libraries. You can simply set environment variables and instantly get better debugging than most methods on all other platforms. I presume this is because Objective C/C++ is such a pain to debug that they just built in features to always be available, even for production apps.

http://www.cocoawithlove.com/2...

Those libraries are clever because when debugging array bounds corruption and used/free, all mallocs get their own mmapped memory block surrounded by unmapped memory. Plus writing patterns into free / allocated memory to detect writing to freed memory, etc. This is great because it triggers a system signal that debuggers can catch deterministically.

I found and used those techniques on my last big project a couple years ago. The Windows desktop app and imaging C++ libraries were full of errors, memory corruption, struct and 32bit/64bit problems, etc. I had to do a lot of debugging and rewriting to port to Mac OS X, then a lot to solve corruption and threading issues. And found out, the hard way, what a mess the "standard" pthreads API / libraries were. Just spurred me on to switch to C++11 to have standard threads. This Mac OS X built-in debugging along with gdb made it a snap to find all of those kinds of errors, even for code meant for Android, Linux, and Windows.

telemetry enabled

automatically

C# is not an C alternative

They adress diffrent problem domains.

Better get used to it...

You're looking at the future of C. Probably the future of the Linux and BSD kernels as well.

Either this, or something similar to it will almost certainly be mandated at some point in the future for any sort of shared infrastructure programming. I expect projects where security is critical to opt in voluntarily as the benefits of being able to prove that certain fairly common classes of security bugs can not occur is especially valuable.

When you can build a stack of software from the kernel up that does not include ANY unsafe C code, you can start to actually rely on your code not being repeatedly subverted every few weeks with new previously undetected vulnerabilities.

Re:Better get used to it...

[ledow]

As yet, nobody has made an OS that isn't C at the bottom. There's a reason for that. Although there are projects that claim it's now possible, not one major operating system uses them for kernel programming.

And wrappers like this have existed since the first day of C. You can always wrap your own memory and pointer management functions and structures and just expect people to use them. They come with a performance cost, and wrapping C means people can only use your wrappers. Even this, which claims compatibility, basically just introduces two new pointer "types" which can't be dereferenced in the normal way.

It's not that this has been impossible forever and people are only just going "Oh, maybe we should do something". It's been this way because there are things that you need to take account of still. And though security is certainly a high-priority, a system that runs dog-slow, isn't compatible with other APIs, has to have tricks all over it to make it work, and ultimately still has to end up with hardware pointers where the bounds are set by the programmer (as here) means that it won't get used at all.

There's a reason that even "theoretical" OS like MINIX still use C and pointers. At the OS level, hardware access needs unbounded pointers or pointers that only the programmer knows the bounds of. Basically, bang, security problem if they use them wrong.

Even ordinary applications made in pointer-managed languages have to - by definition - include more checks and code than those that don't. I'm not saying those checks aren't worthwhile, or don't stop security problems, but there is still yet to be a serious OS or even low-level drivers written in anything other than C.

And people speak as if, if we were to all just move to Rust or whatever (which also includes its own pointer types including a special insecure "unbounded" pointer - wonder why that is even in there, hmm?) that all the security problems would magically disappear. Unfortunately it's not like that.

It's about eliminating human error and there's a lot that can go wrong with pointer arithmetic and lack of checks. But that human error is present whether or not a pointer is used. Most of the time the problem is lack of bounds checking - that, in any language, can lead to serious problems like crashes, acting on incorrect data, getting into infinite loops, etc.

The problem is that the one part you NEED that kind of balance, deep in the kernel rings where you're using drivers and low-level memory access outside of the normal protections, you don't have it available as the hardware needs real pointers to be manipulated in order to operate.

Re:Better get used to it...

[Ash-Fox]

As yet, nobody has made an OS that isn't C at the bottom.

Pretty sure a lot of operating systems used Assembler at the bottom in the early 2000s. Now, I think they're pretty flexible, like:
https://github.com/CosmosOS/Co...

Re:Better get used to it...

[ledow]

Technically, of course you're correct.

However, are we suggesting that assembler is a better memory manager? Because it's literally the bottom of the pack, with C only just slightly above it because it actually include a malloc function.

And Cosmos pretty much only works in VMWare and doesn't even have a single hardware video driver (my exact comment - when you need to start interfacing with hardware, it becomes almost impossible to make any guarantees about the pointers you need to play with) - strange that.

And it uses syslinux as the bootloader.

And critical parts are written in assembler (back to square one!) and literally the assembler code is just tacked into the final OS in place of C' functions (like a macro replacement).

Again, ZERO MEMORY POINTER GUARANTEES in assembler.

All they've done is wrote the OS frontend and maybe a filesystem etc. in C# while assembler (potentially insecure and able to do and access any memory or mess up stacks as normal) is used for all the critical parts - booting up, interfacing with hardware, and god knows what else.

It's an amazing achievement but it's NOT an OS written in C#.

Re:Better get used to it...

[K.+S.+Kyosuke]

As yet, nobody has made an OS that isn't C at the bottom.

Riiight.

Re:Better get used to it...

Not to mention MenuetOS.

Re:Better get used to it...

Interesting.

The server at www.a2.ethz.ch is taking too long to respond.

        The site could be temporarily unavailable or too busy. Try again in a few moments.
        If you are unable to load any pages, check your computer's network connection.
        If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Must be doing really well.

Re:Better get used to it...

[angel'o'sphere]

As yet, nobody has made an OS that isn't C at the bottom.
What nonsense.

Perhaps you like to google a bit or read wikipedia? Mac OS e.g. was written in Pascal. Other OSes are written in Forth, Java, Oberon, Modula II. There are plenty of OSes you never heard about written in Languages you never heard about.

Re:Better get used to it...

[angel'o'sphere]

it becomes almost impossible to make any guarantees about the pointers you need to play with) - strange that.
That is nonsense. To access hard ware in 99.9% of all cases you have a fixed pointer pointing to the "I/O port" of that hard ware. The pointer never changes, you don't do any arithmetic with it etc.

And all languages that don't run in a VM support such pointers, e.g. in Pascal you write:
aLongWord : long [$000EF0002], some Pascals have an "absolute" keyword that takes an address, and basically all Pascals can use variant Records. Modula 2 and Oberon use System libraries to access raw memory.

Re:Better get used to it...

>Mac OS e.g. was written in Pascal.

Which one? Mac OS X is C in the kernel. The various java "OSes" all run on a VM which is, tada, written in C, and thus are less OSes and more shells.

But he's right on one thing: no OS that is used by any significant fraction of the populace is written in a non-c family language.

Re:Better get used to it...

[Ash-Fox]

And it uses syslinux as the bootloader.

I wasn't actually aware of syslinux being used for the bootloader.

And critical parts are written in assembler (back to square one!) and literally the assembler code is just tacked into the final OS in place of C' functions (like a macro replacement).

I thought the critical low level parts were written in X# (which is very assembler-like)?

And Cosmos pretty much only works in VMWare and doesn't even have a single hardware video driver

I definitely ran Cosmos off a flash drive before on actual hardware. As for video, I wonder if your reasoning is true or just another matter like, lack of interest.

Re:Better get used to it...

The problem is that the one part you NEED that kind of balance, deep in the kernel rings where you're using drivers and low-level memory access outside of the normal protections, you don't have it available as the hardware needs real pointers to be manipulated in order to operate.

I love to bust your balls, because hardware doesn't have pointers. Pointers are a C language construction to provide some program type checking between integers that are supposed to represent memory addresses and integers that represent things other than memory addresses. The hardware doesn't know whether a word is a pointer or an integer or a string, though some people are suggesting we teach it how (tagged memory), which is why buffer overruns and stack overflows are so harmful. If you had some instruction like write DATA to this address, like the C language suggests, then overwriting the stack with a malformed payload would result in corrupting the stack, but then the first attempt to dereference a stack address would cause an exception fault. You can go further and tag each address as data, pointer-to-instruction, pointer-to-data or pointer-to-pointer; and you can go full retard and assign arbitrary tags to each word as big as the word itself, with a programmable state-machine to enforce the tag permissions (I really saw a researcher that suggested this!). One more tag type is the canary tag, but that is of some but less than complete value, because while it prevents simple mistakes like buffer overflows and stack overflows, it doesn't prevent more complex problems like indexing outside of an array. Compiler generated asserts work here, but then they require things like Checked C or Ravenscar which don't allow decontextualizing pointers from the middle of an object, and that is something people do a lot of in real C code, whether it's a good idea or not.

Talking about pointers outside the context of C is foolish, because current generation hardware doesn't know the difference between pointers and integers. We can't get people outside datacenters to accept a 1/8 cost overhead for ECC, even when it's demonstrated to be necessary for reliability, so I don't hold much hope for people accepting the overhead of tags, a sensible design is only 2-4 bits per word, which is a memory overhead of less than 10% on a 64bit machine, but it requires programmers to accept using aligned addresses everywhere, which even though it is already necessary to get any kind of good performance, we still have programmers not doing that. I mean it's kind of questionable whether you even need byte addressed memory, but programmers have a fit when you give them a CPU that can only address words.

Re:Better get used to it...

The TRIPOS operating system was written in BCPL.
On the Amiga the non-GUI part of the OS was written in BCPL.

The VMS operating system was written in BLISS-32.

The Lilith operating system was written in Modula-2.

The Oberon operating system was written in Oberon the language.

The Genera operating system was written in Lisp from top to bottom. It did support X Windows as an optional package; it ran the standard C implementation that the Unix systems used. But that was the only piece in C, and even there it could have been rewritten in Lisp it just wasn't worth the trouble of the rewrite.

Re:Better get used to it...

There's nothing wrong with writing critical parts of the OS in assembler, you just have to manually or automatically verify and prove that those parts are correct. They usually are, because they are usually so simple that any side-effect couldn't be tolerated. For example the code that saves the stack on every OS has to write the stack to the stack save location with no side-effects besides that. If it had any side-effects or didn't do the right thing, it would be immediately obvious and the system couldn't work. If it had any data dependent branches, it would look screwey and suspicious and someone would fix it.

The only other code I can think of in the BSD and Plan9 kernels, which are the only ones I'm intimately familiar with, that is written in Assembler, is the early boot code. Well, that's not much of an attack surface since it is only executed by the boot program, and if the boot program or the input to it can be modified, the system is already hosed. If you manage to branch into it after boot, then something else has already fucked up, so the early boot code is hardly responsible.

Those bits are the most thoroughly tested and least modified parts of the OS because they are ugly to write, have to work exactly correctly for the system to work, and once they are working and tested, nobody wants to touch them again because it's so difficult. Security bugs happen in the code that is either never executed, or always executed in a particular way while never executing other potential codepaths in the same subroutine.

If someone is writing an OS in a high level language, and implementing primitives in assembler to act as supports for that language, those supports are going to work, and work perfectly, because they will be so heavily exercised that any defects will show up in short order. They're also usually so simple that fuzzing them in a simulator or static analyser with 100% input space coverage is possible.

I've written code that does this, and it's available commercially, you basically walk through the assembler propagating maximum input ranges. It's much like a modern BVH raytracer, you figure out where the splits are and build a tree of all possible execution regimens, and when the tracer fails, you add invariant annotations which it either proves or tells you are false, which reduce the search space. Eventually you wind up with a block of assembly with full annotations and a proof that it does what it says. Then you commit it to the codebase, and don't modify it again after that.

Re:Better get used to it...

Except if you're using a PMMU (as in 99.9% of cases) there isn't any guarantee that an "absolute" address points to any particular physical location.

If you're messing around with address translation, you're going to have to use assembler. I have no idea how you would try to program a PMMU in C.

Re:Better get used to it...

[pr100]

Of course their were the lisp machines: https://en.wikipedia.org/wiki/...

Re:Better get used to it...

[tepples]

I have no idea how you would try to program a PMMU in C.

Any program requiring a processor feature not exposed by the definition of the C language can be written in a language that's a superset of C with either intrinsics for that feature or inline assembly. Intrinsics are more involved to implement but might be safer in the sense that more things can be statically proved about their behavior.

Re:Better get used to it...

Have you heard about MVS? OpenVMS? RSX? MPE? Multics? ITS?

Re:Better get used to it...

> Mac OS e.g. was written in Pascal

Classic Mac OS up to System 6 was written in Object Pascal, except for the Toolbox and low-level OS routines in ROM, which were assembly. They still used Pascal calling conventions, though.

IIRC by System 7, Apple had mostly switched to C++ for system programming using MPW, but MPW still supported a Pascal compiler.

Re:Better get used to it...

> Which one? Mac OS X is C in the kernel

The Mach and BSD parts are, but the Driver Kit is based on Embedded C++.

Re:Solve the problem in hardware, have done with i

[phantomfive]

What's wrong with the standard pthreads API?

Pascal?

[drolli]

So checked C is simila to Pascal?

Re:Pascal?

[K.+S.+Kyosuke]

Well, these days, you could simply use something like ActiveOberon.

You look like a gentleman open to the ... unusual

[rodia]

May I direct your attention to this?

Re:Solve the problem in hardware, have done with i

The CPU just needs to set aside an area of memory exclusively for return addresses, and make that protected. No more security issues, buffer overruns, execution of arbitrary code. The real problem is that return addresses are mingled with other data. This should be solved at the hardware level, and AFAICS, it could be done totally transparently to code, even binaries.

That solves some cases but by no means all of them.

Buffer overrun is a method that can be used to exploit the stack based return address. A separate return stack prevents buffer overrun to trash the return address but the buffer overrun will still happen.

Most operating systems that has file access capability or interrupts will have callback hooks and function pointers. Those are supposed to be written and overwriting those can also lead to arbitrary code execution.

It is also not a requirement to have the support in CPU. If I recall correctly ICCAVR used to have separate return and variable stacks.
Pretty much any CPU already supports this. On Z80 the IX or IY register would be ideal for a separate variable stack, you probably need to use one of them as a frame pointer anyway. On 68K you can pick any address register. On ARM I think any register would do.
The loss of an extra register to stack might lead to slightly slower code but there is almost always a performance tradeoff for security.

The method makes the code slightly harder to exploit. It doesn't protect against everything but no simple solution does.
Of course the better option is coding discipline and checking all inputs but that takes the fun out of programming.

C#?

C# isn't anywhere near a C alternative. No-one sensible is going to write an OS or low-level driver in C#.

Re:That reserves memory, it doesn't add bounds che

[dargaud]

There are many (?) compilers that place boundary spaces above and below arrays, so that access to ptr[256] or ptr[-1] will trigger a (manageable) runtime error, so it will catch runaway loops. But it won't catch things like your example. And C is for speed and this adds a check or two for every array access, so even if enabled in debug mode, it's usually removed in release mode.

Re:That reserves memory, it doesn't add bounds che

[egladil]

Actually, it declares that ptr is a pointer to an array. So to get at the data you would actually have to do (*ptr)[20] or ptr[0][20]. Provided you have assigned something meaningful to the pointer first. The only memory reserved by the declaration is enough to hold a pointer.

Re:You look like a gentleman open to the ... unusu

[Ash-Fox]

My interest in writing in C is knowing the machine code that is likely to be produced by the compiler. How does this apply to "Nim"?

It's about time

[iliketrash]

It is absolutely astonishing that it has taken _this_long_ for someone to make these basic fixes to C.

Re:It's about time

It was done years ago in the C standard. Check Annex K.
It's just that people read stack overflow instead of reading the standard so everyone uses hacks that relies on behavior that the standard specifies as undefined and thinks that the language has problems because of that.

Read the standard, keep within defined behavior and use the bounds checking interface.
Do you absolutely need a particular behavior? Check if the standard specifies if it is undefined or compiler defined. If compiler defined, add a compiler check to your build process, ideally a preprocessor check next to the usage.

In most cases where it is undefined it is because the language supports 10bit architectures, one-complement CPU's and non-standard floating point units.
The supposedly better languages typically only supports one CPU architecture and one or two operating environments.

Re:It's about time

[ThosLives]

It's more surprising that people think C needs "fixing". C is just a toolbox with almost no restrictions - so you have to be careful using it. Once you start adding restrictions to your tools, you end up with other problems.

Put another way, C is almost the ultimate in coding freedom (probably only assembler is more free, but is not quite as portable as C) so requires lots of responsibility. Adding in checks to a language does free the programmer from responsibility but necessarily comes at the cost of some freedom (or performance, those checks aren't free).

Re:It's about time

C - unsafe at any speed.

Re:That reserves memory, it doesn't add bounds che

Yes, and (*ptr)[20] is the correct syntax in that case since it is a pointer and not an array.
Ideally ptr[0][20] should generate a warning but probably won't.

Nah

Like C programmers cannot write bounds checkers. These are mostly hackish indeed, but at least standards compliant.

Re:That reserves memory, it doesn't add bounds che

[zakeria]

actually (ptr + 20) and *(ptr + 20) can be used .. and is what is most likely translated to by the compiler. Just as printf("%c", "this is a string"[8]); will output the letter 'a' *("this is a string" + 8) will also produce the letter 'a' as "this is a string" is used as the base address.

Re:Solve the problem in hardware, have done with i

What happens when that area runs out of space?
Move it to main memory?

FALSE

The shitty Bell Labs stuff is widely used. Because people are educated in all textbooks to use the crap.

It is a MAJOR security issue. Like C and Unix and Windows and MacOS in general. One big shitpile which is less secure than the Algol 68 mainframes from Unisys, ICL and MCST.

But yeah, in a better C world we would use a string object (I actually do in one project), which has automatically growing capabilities.

MSFT is doing the right thing here, even if Hillary wants insecure computers.

Re:That reserves memory, it doesn't add bounds che

So the microsoft extension is std::array?

Checked C

It will send all your C source code to India where it can be checked for anything remotely innovative or copyright/patentable, at which point it will be sent back to you so you can await the pending lawsuit for copyright/patent infringement from Microsoft if you ever end up making money with your code.

AI

[LichtSpektren]

I wonder if some kind of AI (Watson or similar) is going to deprecate a lot of these programming languages, extensions, and tools. Imagine if your AI could analyze your millions of lines of code in a few minutes, then aggressively optimize it and patch all of the bugs and vulnerabilities, while still giving the same intended output 100% of the time. I wonder what programming would look like at that point.

I imagine at that point everybody would be using a programming language like Go or Python that emphasizes readability and understandability, since all of the manual stuff you used to have to do with C or C++ or asm won't be necessary anymore.

Windows Is A Security Bug

How can you trust a software from a company that wants access to all your data (to improve your experience, they say) and won't let you turn it off.

C# fails again

[sproketboy]

Another indication that M$ recognizes that .NET and C# have failed.

Re:Solve the problem in hardware, have done with i

[BitZtream]

You can simply set environment variables and instantly get better debugging than most methods on all other platforms.

... except ... its the same as on FreeBSD ... and every other applications that uses that malloc allocator instead of a crappy one. (Its not OS specific, its just the default allocator in OSX, iOS and FreeBSD, presumably others but I don't really follow the others.

Queue the idiots screaming that Apple stole it from FreeBSD now ... (original code was written to make the FBSD allocator not suck ass years ago)

And found out, the hard way, what a mess the "standard" pthreads API / libraries were.

Sigh, you just told us you're a shitty developer. Best of yet, you don't realize that what you switched to ... still uses pthreads under the hood on every platform that matters except windows.

pthreads requires you to know WTF you are doing and are extremely efficient, but I'm guessing you prefer something that does all the work for you and wastes a fuckton of CPU time because 'math is hard' Barbee.

Re:You look like a gentleman open to the ... unusu

It produces C code, so you can know the machine code that is likely to be produced by the C compiler. If you know what machine code your C code will become, which I find quite hard, due to modern optimizations. That shifts the problem to knowing what C code your nim code will be turned into. It would take some learning and experience, and one would have to weigh this against the advantages nim offers, of which the checking described here ist only one.

Re:You look like a gentleman open to the ... unusu

So, your "interest" in writing in "C" is knowing the "machine code" that is likely to be produced by the "compiler". I see :o).

Old news for OpenBSD developers.

Old news for OpenBSD developers.

BINGO (buzzword style)

but the win should go to the parent for trolling via clever juxtapositioning of competing and incompatible technologies and/or implementations thereof.

(It already seems to have borne fruit!)

Re:You look like a gentleman open to the ... unusu

[rodia]

It produces C code, so you can know the machine code that is likely to be produced by the C compiler. If you know what machine code your C code will become, which I find quite hard, due to modern optimizations. That shifts the problem to knowing what C code your nim code will be turned into. It would take some learning and experience, and one would have to weigh this against the advantages nim offers, of which the checking described here ist only one.
P.S.: sry for re-posting this while logged in, my anon reply was invisible even when selecting all posts to be displayed. Hope I don't go to /. noob hell for this.

Angels

Like those at the CPSC, would gladly take the tools away from any construction site, as they are "unsafe".

After the unsafe tools are recalled, and the workers are issued big foam hammers, dull plastic saws, and wheelbarrows with training wheels, how can any real work be done?

(Captcha: foible)

Re:That reserves memory, it doesn't add bounds che

[egladil]

Umm, no. *(ptr + 20) is different from those above. That would translate to *(char**) (((void*) ptr) + sizeof(char*) * 20). Whilst ptr[0][20] and (*ptr)[20] translate to *(char*) (((void*) (*ptr)) + sizeof(char) * 20).
And (ptr + 20) is even worse since it's completely missing dereferences.

Your printf example is correct though, but not relevant to the current case.

Re:You look like a gentleman open to the ... unusu

[Ash-Fox]

It produces C code, so you can know the machine code that is likely to be produced by the C compiler.

Yeah, but I'm not going to write 100 different variations in nim to get it to produce the C code I want to get it translated to machine code.

If you know what machine code your C code will become, which I find quite hard, due to modern optimizations.

I'm writing low level C code, which doesn't have much room for optimization honestly and I like to do my own micro optimizations (and trust me, a compiler can't optimize some things the same way a human can, take a look at path walking in the Linux kernel for an epic example).

It would take some learning and experience, and one would have to weigh this against the advantages nim offers, of which the checking described here ist only one.

Sadly, things like bounds checking and malloc handling aren't always the most efficient and sacrifice performance; which isn't always in the interest of the project one works on.

Re:You look like a gentleman open to the ... unusu

[Ash-Fox]

So, your "interest" in writing in "C" is knowing the "machine code" that is likely to be produced by the "compiler".

Well, let's be honest, assembler does not have the nice fancy IDEs you can get with C (even if you're not using their fancy compilers), the language isn't so simple that you have to write out entire loop code. It is low level enough that I can write micro-optimizations and understand more or less what the compiler is going to produce.

So yes, my preference for using C is for this particular scenario typically.

I know what the checked stands for

[TheMadTopher]

Telemetry calls embedded via the compiler? Check!

Re:Solve the problem in hardware, have done with i

[tepples]

Queue the idiots screaming that Apple stole it from FreeBSD now

Is it "stole" as much as "used under license"? Darwin is FreeBSD's userland on a Mach-derived kernel.

Re:You look like a gentleman open to the ... unusu

[tepples]

That and if you need to port your code to other architectures, such as x86 vs. x86-64 vs. ARM vs. MIPS, you can recompile C with only a minor loss in runtime speed due to loss of effectiveness of micro-optimizations.

Singularity OS

[tepples]

No-one sensible is going to write an OS or low-level driver in C#.

Singularity was written in a variant of C#, using the .NET CLR's safety model.

"Singularity authors aren't sensible"? No true Scotsman.

"Checked C"?

[whitroth]

And, so, how is this different from lint?

For that matter, none of all the C I used to write ever had buffer overflows, or memory out of bounds, etc. Of course, I wasn't right out of school when I wrote it, nor was I lazy... so, for example, I almost *never* used while/wend - overwhelmingly, it was for/next, with *LIMITS*. After some early C programming bugs that I fixed, I started, more and more, using strncpy.. And I *checked* the return from malloc.

                    mark "remember, half of the programmers out there are the bottom half"

Re:"Checked C"?

[david_thornley]

I never used while/wend or for/next in C either. They're not C language constructs.

Re:That reserves memory, it doesn't add bounds che

[Uecker]

This does not reserve memory. This declares ptr to be a pointer to an array of length 256. This is exactly what a bounded pointer is. And yes, compilers can sometimes detect out-of-bounds accesses at compile time (not only for literals) and because out-of-bounds accesses are undefined behavior, there are free to add run-time bounds checking when the pointer is de-referenced. And this is exactly what the undefined-behavior sanitizer for clang and gcc does if you use it. I know, because I fixed this for gcc because it wasn't working.

    void foo(int n, char (*buf)[n])
  {
                    (*buf)[n] = 1;
    }
    int main(int c, char* argv[])
    {
                char buf[10];
                  foo(10, &buf);
    }
    $ clang-3.5 -fsanitize=undefined -O3 c.c
    $ ./a.out
    c.c:4:2: runtime error: index 10 out of bounds for type 'char [n]'

Checked SPY++

Any time you brandish the word safer in the same breath as Microsoft you are lying.

Re:That reserves memory, it doesn't add bounds che

[Uecker]

In the example I gave, the size is encoded in the type. This makes it simple and cheap for the compiler to add bounds checking (which can also often be optimized away if it can prove that the access is not out-of-bounds).

imgur.com on 443 really slashdorks?

This was posted here recently.
http://i.imgur.com/rnnPzYX.jpg

Now today our browsers connect to imgur.com on port 443. Are you saying they are a new certificate authority?

Or is this Spydot?

Very interesting, thank you. Might use the flag

[raymorris]

That's very interesting, thank you. Sometime I might use -fsanitize=undefined. Since most software is network-bound or IO-bound, I suppose the cost would be minimal?

> I know, because I fixed this for gcc because it wasn't working.

It's always good to hear from someone who definitely knows.

Cold dead hands...

First they came for our null pointer references, then they came for our heap overflows... Jesus, is nothing sacred?
Soon upstanding citizens won't be able to divide a LEGALLY owned number by zero...

Re:That reserves memory, it doesn't add bounds che

[zakeria]

Ahh.. I never noticed the ptr[0][20] !!!

Re:Solve the problem in hardware, have done with i

Your mindset is the McDonalds Approach To Computer Science. Quick and dirty. I do not really blame you, it is the rotten management and the race-to-bottom treadmill we are operating in.

Plus of course Hillary and he NSA minions want the capability to subvert everything.

But I guess this will change, because otherwise computers will lose their utility.

We have loads of crapware and millions of developers. Now, go it slowly and thoroughly. Then the cyber war domain can die its needed death.

FALSE

C is worse than assembler in case I want to efficiently check for integer over- and underflow. CPUs can do it, but there is no way to use this functionality in a portable way.

C has clearly been created by USG in order to make computers "reconnoiterable" - worldwide, anytime.

Sure, Mr NSA

Let's prop up your creation, so that you can hack all systems, worldwide, anytime.

Make people think C is a progression on Algol68, when the opposite is true.

Your lying will catch up with you and I guess the Mohammedics will take you over soon, because they are even better at lying than you are.

Poor Boy

Do you really believe these 1% sponsored Dreck Messages ?

IBM currently dies a slow death because they mistrust Human Intelligence.

Here is an ounce of truth for you: Each Ant has a more powerful neural net than all real world "AIs". Just check the numbers.

Marvin Minsky was a 1% science whore who had fun to scare people.

And grow some balls, stop believing the nonsense of the marketing vultures and other propagandists.

Sure

It cannot be that a TLA wanted to make ciphers insecure. They would never do that, would they ?

Seriously, that is the most useless example why we should use non initialized memory. Assuming that "by magic" there will appear entropy from uninitialized memory is super amateurish.

Proper crypto can be nicely done in Pascal, Ada or Oberon. Actually, it can be done so well that the 1% would start calling for a return of their C based backdoors.

Re:Solve the problem in hardware, have done with i

> Plus of course Hillary and he NSA minions want the capability to subvert everything.

The funny thing about being a partisan tool is it blinds you to the real issues, and turns politics into a base team sport.

And the real thigh-slapper is that you think a Republican candidate (even one other than Trump) wouldn't fuck your privacy 6 ways from Sunday.