Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Research Touts Its 'Checked C' Extension For 'Making C Safe' (microsoft.com)

Posted by EditorDavid on from the making-C-safe-again dept.

Microsoft Research has pre-published a new paper to be presented at the IEEE Cybersecurity Development Conference 2018 describing their progress on Checked C, "an extension to C designed to support spatial safety, implemented in Clang and LLVM."

From "Checked C: Making C Safe By Extension": Checked C's design is distinguished by its focus on backward-compatibility, incremental conversion, developer control, and enabling highly performant code... Any part of a program may contain, and benefit from, checked pointers. Such pointers are binary-compatible with legacy, unchecked pointers but have explicitly annotated and enforced bounds. Code units annotated as checked regions provide guaranteed safety: The code within may not use unchecked pointers or unsafe casts that could result in spatial safety violations.

Checked C's bounds-safe interfaces provide checked types to unchecked code, which is useful for retrofitting third party and standard libraries. Together, these features permit incrementally adding safety to a legacy program, rather than making it an all-or-nothing proposition. Our implementation of Checked C as an LLVM extension enjoys good performance, with relatively low run-time and compilation overheads. It is freely available at https://github.com/Microsoft/checkedc and continues to be actively developed.
The extension is enabled as a flag passed to Clang -- the average run-time overhead introduced by adding dynamic checks was 8.6%, though in more than half of the benchmarks the overhead was less than 1%. They also note that from 2012 to 2018, buffer overruns were the leading single cause of CVEs.

Microsoft Research says they're now evaluating Checked C, formalizing a proof of its safety guarantee -- and developing a tool to semi-automatically rewrite legacy C programs.

119 of 181 comments (clear)

  1. Funny ... by Misagon · · Score: 3, Informative

    clang/LLVM had been developed in tandem with, practically for a project for making C code safer in the first place: SAFECode.

    --
    "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
    1. Re: Funny ... by jd · · Score: 2

      How is vi the least bit related to the compiler?

      I assume people understand clang is a compiler, not a text editor. Or maybe I'm assuming too much.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re:Funny ... by HiThere · · Score: 1

      Well, this isn't quite the same comment, but if the language is compatible with C, or some subset of C, couldn't you compile the "safe version", run your tests, and then, when you were satisfied, compile with standard C? Surely the answers ought to be guaranteed to be the same if there's no error.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    3. Re:Funny ... by jd · · Score: 1

      You are correct.

      In the case of Verified C, it's slightly different - they've proven the optimizer will generate code that is functionally identical to the source, so you can't be sure if another compiler will generate equivalent binary.

      However, whether talking about Checked C, Verified C, SAFERCode or any other validation system, validated source is validated. Furthermore, once you've done any runtime testing and shown no errors occur when in operation, that should hold true for compiled code from any compiler. Green Hills, Portland Compiler Group, Intel, etc.

      So this would be a great environment for continuous integration and alpha testing, but you needn't use it for beta tests or an official release.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    4. Re:Funny ... by haruchai · · Score: 2

      clang/LLVM had been developed in tandem with, practically for a project for making C code safer in the first place: SAFECode.

      AT&T had a safe C variant called Cyclone but haven't heard anything about it in over a decade

      --
      Pain is merely failure leaving the body
    5. Re:Funny ... by dryeo · · Score: 1

      I'd guess that there is a compiler switch to turn it off.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
    6. Re:Funny ... by MrMr · · Score: 1

      Yes, that's what old programmers used to do: build and test with efence and valgrid, and recompile
      https://linux.die.net/man/3/li...
      http://valgrind.org/
      Interestingly neither of these lang standing approaches (Hi Bruce) appears to be mentioned in the IEEE paper.
      Peer review ain't what she used to be.

    7. Re:Funny ... by AmiMoJo · · Score: 1

      The problem with all these attempts to make C safe is that they tend to break all the stuff that makes C useful. Type punning is the classic example, or pointer manipulation.

      There are better languages if you need that kind of thing. For other purposes C is the only option precisely because it isn't safe.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Funny ... by Zero__Kelvin · · Score: 1

      No, that won't work because the checks happen at runtime, not compile time ... thus the increases overhead of approximately 8%.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    9. Re:Funny ... by slickwillie · · Score: 1

      Some of us used to run lint on our code too. Is that still a thing?

    10. Re:Funny ... by HiThere · · Score: 2

      IIUC efence and valgrind don't check for references beyond array bounds, but only for references beyond allocated memory. So this is different (and less expensive) than what they're proposing.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    11. Re:Funny ... by Ed+Avis · · Score: 1

      Those are run time checks. They are a great way of smoke-testing your code for memory access errors that can't be detected at compile time (which in standard C is most of them). Of course, while this testing can prove the existence of bugs, it cannot prove their nonexistence. The paper is about a different and complementary approach, compile-time checking. Here you prove that certain types of unsafe access cannot occur based on the source code. The prior art cited in the paper is other approaches of this type.

      --
      -- Ed Avis ed@membled.com
    12. Re:Funny ... by Ed+Avis · · Score: 1

      Sorry, you do have a point, since their project includes run time checking with some performance penalty.

      --
      -- Ed Avis ed@membled.com
  2. Re: Microsoft lags behind better research by jd · · Score: 4, Informative

    There's a difference. CompCert/Verified C is concerned with formally verifiable source code and provably correct compilation, which means pointers are bad.

    CheckedC doesn't do any of the above, it is only a secure pointer system. Microsoft's Z3 handles formal verification.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  3. What about C syntax? by david.emery · · Score: 3, Insightful

    How many errors are due to C syntax, e.g. "=" vs "=="?

    At what point do we finally decide that C just wasn't the best choice for large scale long lived systems?

    (And don't tell me about "experts don't make those mistakes". See, for instance https://www.researchgate.net/p... )

    1. Re:What about C syntax? by phantomfive · · Score: 4, Informative

      How many errors are due to C syntax, e.g. "=" vs "=="?

      I haven't seen that error in many many years. The compiler gives you a warning in most cases, when you look at code with that mistake it really jumps out at you, and if it somehow does get through the compile phase, rudimentary testing will catch it. You are testing both branches of your if statements, aren't you?

      --
      "First they came for the slanderers and i said nothing."
    2. Re:What about C syntax? by gweihir · · Score: 1

      When compiling with "-Wall" and using reasonable style, basically none.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:What about C syntax? by theweatherelectric · · Score: 3, Informative

      Why not simply use a language that avoids the problem in the first place? In Pascal, for example, you can't do an assignment inside an if test. It's a wiser design choice.

    4. Re:What about C syntax? by phantomfive · · Score: 1

      Because its convenient sometimes and not a problem. "Giving up convenience for things that are not a problem" may be the source of everything wrong in Pascal.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:What about C syntax? by theweatherelectric · · Score: 1

      Because its convenient sometimes

      When?

      everything wrong in Pascal

      Like what?

    6. Re:What about C syntax? by theweatherelectric · · Score: 1

      So.. the answer is "never". Pretty lame, kid.

    7. Re:What about C syntax? by theweatherelectric · · Score: 1

      This is naive at best. It's one line different doing the assignment outside of the if test, and you believe this is some kind of grand convenience? Assignment inside an if test is not worth the problems it introduces.

    8. Re:What about C syntax? by neurocutie · · Score: 1

      To the extent that C was designed with the PDP-11 machine code in mind,

      if (a = b)

      compiles directly into

      MOV B, A
      BNE 101$

      which is a perfectly reasonable machine language construct (or any of its variants since most instructions set the PDP-11 condition codes.

      I think many C programmers (certainly most of the early ones) are always aware of the machine code being generated as they are writing C....

      (perhaps you think P-code when you write Pascal, good for you!)

    9. Re: What about C syntax? by theweatherelectric · · Score: 1

      Whatever floats your boat. Try not to get any on the keyboard.

    10. Re: What about C syntax? by theweatherelectric · · Score: 1

      No, it doesn't create problems for Pascal programmers because Pascal doesn't have this problem. Maybe reread the thread.

    11. Re:What about C syntax? by theweatherelectric · · Score: 1

      (perhaps you think P-code when you write Pascal, good for you!)

      You're a little out of date. You have some reading to do.

    12. Re:What about C syntax? by theweatherelectric · · Score: 1

      Again, your convenience just isn't. Why wouldn't function_that_uses_pointer() protect itself by doing the pointer check internally? That way function_that_uses_pointer() wouldn't have to worry about someone remembering to do the check every time it is called and you could write:

      result = function_that_could_return_a_null_pointer();
      function_that_uses_pointer(result);

      Or even:

      function_that_uses_pointer(function_that_could_return_a_null_pointer());

      All the "convenience" did for you was to structure your program poorly. And worse, it made you think the bad structure was a good idea.

    13. Re:What about C syntax? by Jeremi · · Score: 1

      At what point do we finally decide that C just wasn't the best choice for large scale long lived systems?

      We can decide that whenever you like; unless you've got a time machine handy, it doesn't really change anything now, because all of those systems are still out there and aren't going anywhere. Even if you aren't working on the C code directly, you're likely going to want to link to a C library, or run on a C-based operating system.

      C, like the faint scent of urine on the subway, is there, and there's nothing anybody can do about it.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    14. Re:What about C syntax? by Anonymous Coward · · Score: 1

      Why wouldn't function_that_uses_pointer() protect itself by doing the pointer check internally?

      The real answer is: it would, except your macho cargo-cult co-workers believe it's faster to do the check outside the function, so they trade a few tens of nanoseconds for having manually guard every function invocation, and then they pat themselves on the back every time they remember to add the check. :(

    15. Re:What about C syntax? by theweatherelectric · · Score: 1

      Your quiche-eating opinion isn't going to change C

      Of course it isn't. That's why you're better off using a language that avoids C's problems in the first place. Maybe reread the thread.

    16. Re:What about C syntax? by Pseudonym · · Score: 1

      while ((thing = next_thing_or_null_if_no_more_things())) {
              do_something_with(thing);
      }

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    17. Re:What about C syntax? by gnasher719 · · Score: 1

      As far as I'm concerned, "if (a = b)" doesn't compile. Because it generates a warning that I turn on, and I don't allow warnings. Problem solved.

      You _can_ write "if ((a = b))" and the double parentheses convince the compiler that the assignment was indeed what you wanted.

    18. Re:What about C syntax? by swilver · · Score: 1

      Experts donot make that mistake. In fact, the question makes your look rather dumb.

    19. Re:What about C syntax? by gweihir · · Score: 1

      I do not use toy-languages.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    20. Re:What about C syntax? by theweatherelectric · · Score: 1

      You really have no clue, do you. Sad to see, dude.

    21. Re:What about C syntax? by theweatherelectric · · Score: 1

      And yet you have nothing to offer. It's amusing watching C advocates flail about, posting syntactically incorrect C code and disagreeing with each other on how to do something as trivial as copy one string to another.

    22. Re:What about C syntax? by Zero__Kelvin · · Score: 1

      Considering C is the language that the Linux kernel which runs the internet and most cell phones is written in, and it works quite well when used by professionals qualified to use it properly, never. If you make the error you cited you have no business developing such systems in any language.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    23. Re:What about C syntax? by Zero__Kelvin · · Score: 1

      No. He was correct. You have no clue and should not have opened your mouth to prove you are a fool.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    24. Re:What about C syntax? by ebvwfbw · · Score: 1

      ...At what point do we finally decide that C just wasn't the best choice for large scale long lived systems?....

      The premise is wrong. If you didn't use C, what would you have used back in 1970 other than assembler? Nothing. Admit it.
      As for long lived systems, it's still here. All of the other OS that I remember are in the grave yard. Exec-8, VMS, etc. I can remember all the people saying Unix is doomed, snake oil, etc. Yet the Unix type OS lives on and powers the most powerful largest computers in the world. For the most part for over 30 years.

      Time to admit it was exactly the right choice for large scale long lived systems.

    25. Re:What about C syntax? by Carewolf · · Score: 1

      if( (result = expensive_function()) > somevalue ) { do_stuff(result); }
      It can be convenient and concise to do an assignment in a test, but you're a dumbass who resists knowledge and will probably double down and say it isn't valid because pascal doesn't let you and who cares if you have to do the same thing with more lines of code.

      There is even a C++ extension for it now, so you can declare the score there too.

      if (auto *ptr = get_maybe_ptr()) do_stuff_on_definitely_ptr(ptr);

    26. Re:What about C syntax? by theweatherelectric · · Score: 1

      Wow, C appears to make you hate fueled. Maybe you should try another language, guy. It might be better for mental health.

    27. Re:What about C syntax? by theweatherelectric · · Score: 1

      Nope, just not myopic.

    28. Re:What about C syntax? by Zero__Kelvin · · Score: 1

      Who told you myopic was a synonym for competent?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    29. Re:What about C syntax? by theweatherelectric · · Score: 1

      Ugh, programmer machismo is truly pathetic. It's a sure sign of an amateur. You've got a lot of growing up to do, Zero__Kelvin. Don't spend the rest of your life this developmentally stunted.

    30. Re:What about C syntax? by Zero__Kelvin · · Score: 1

      You should probably read my other replies that expose your incompetence before making even more of a fool of yourself. As

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    31. Re:What about C syntax? by theweatherelectric · · Score: 1

      As

      It's funny the number of typos committed by C advocates. All these mistakes demonstrate the value of a language like Pascal over C.

    32. Re:What about C syntax? by neurocutie · · Score: 1

      "At what point do we finally decide that C just wasn't the best choice for large scale long lived systems?"

      So what choice should have been made... in 1972? (early days of Unix).

      Seems like it was an excellent choice for 1972 and survive nearly 50 years (i.e. your "long lived" criterion).
      Was there another choice in 1972 that was a better choice in 1972 that has shown itself to be a popular (i.e. grown in usage by leaps and bounds since 1972 or earlier) and solid choice in 2018?

    33. Re:What about C syntax? by theweatherelectric · · Score: 1

      That's not what Happened

      Sure, kid. It's always Someone Else's Fault.

    34. Re:What about C syntax? by gweihir · · Score: 1

      Pathetic.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    35. Re:What about C syntax? by theweatherelectric · · Score: 1

      Like I say, nothing to offer. It's sad that C has made you this way. You really should try Pascal. It'll improve you.

    36. Re: What about C syntax? by BranMan · · Score: 1

      Inverting the boolean test has yet another handy use (at least in Java):

      if( myString.equals("hello") ) will blow up if myString is NULL
      if( helloString.equals(myString) ) will simply return false if myString is NULL

  4. Re:Hmmm. by HiThere · · Score: 2

    What's needed is not independent comparison (well, that's needed, but that's not the problem). What's needed is a license that guarantees that there's no copyright or patented code in the result. I.e., a guarantee that the generated code can be used under any license of your choice without legal danger from either Microsoft or from any company with which they have or have had a business relationship unless the source code compiled by a standard C compiler would have the same problem.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  5. Re:Hmmm. by jd · · Score: 1

    Ok, I would agree with that. So, license check then a benchtest. IANAL, but I can do the latter adequately even if I can only do a cursory skim for the former.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. MISRA Comparison? by 0100010001010011 · · Score: 2

    Can anyone compare this to what Embedded has been doing for a while in functional safety?

    https://en.wikipedia.org/wiki/...

    It's why Mathworks makes stupid money off of Polyspace Static Analyzer.

    https://www.mathworks.com/prod...

    https://www.mathworks.com/prod...

    On top of that there's also the Barr Group's Embedded C Coding Standard.

    https://barrgroup.com/Embedded...

    1. Re:MISRA Comparison? by theweatherelectric · · Score: 2

      The fact that the Joint Strike Fighter's coding standards are based on MISRA C is not a good advertisement for it. The JSF's software still doesn't work right and they've been working on it for 20 years. Following MISRA C didn't avoid those problems.

    2. Re:MISRA Comparison? by phantomfive · · Score: 3, Insightful

      tbh honest, I don't think MISRA is that great. It's a grab-bag of miscellaneous error prevention ideas, but without a clear conception of how to avoid bugs, it prohibits some things that aren't a problem, and allows things that are.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:MISRA Comparison? by jd · · Score: 2

      Agreed. And quite a few studies of MISRA say likewise.

      There's probably a subset that is genuinely useful, simply because it does seem to work when selectively applied.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  7. Re:Hmmm. by gweihir · · Score: 4, Interesting

    It is MS Research. MS proper ignores them routinely.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  8. Misleading comparison to other languages by roca · · Score: 4, Informative

    Pretty major error right in the introduction:

    > Legacy programs would need to be ported wholesale to take advantage of these languages,

    Not true for Rust. C libraries and applications can be ported to Rust incrementally and, in fact, some examples have already been done and shipped! See Federico's work on librsvg for example: https://people.gnome.org/~fede...

    1. Re:Misleading comparison to other languages by Anonymous Coward · · Score: 3, Informative

      Rust is a horrible clusterfuck of a language.

      Apart from a cumbersome syntax, traits hide implementation details, so you have to look up the implementation or (worse!) take a look at the implementation of a type in order to know what it will actually do memory-wise, information you need to know in order to use the type in any realistic way. Rust also doesn't have proper classes, which together with the overly complex borrow-checker makes it essentially impossible to write glue libraries to object-oriented foreign code or write object-oriented style in Rust that is not extremely verbose. That's why there is not a single cross-platform GUI library worth using in Rust, because these are naturally designed in an object-oriented way. The Rust people are still musing how to re-invent the wheel in a more Rust-friendly way to create a few widgets on the screen.

      The borrow-checker and lifetimes feel like they have been invented to only make a programmer's life harder. Implicit shortcuts like lifetime elision rules are glued onto the language in an attempt to make programming in Rust less of a pain in the ass, whereas in reality the only increase the complexity of programming in Rust even further.

      Last but not least, Rust claims to enhance safety - which for Rust people almost solely means memory safety of references - but doesn't even have integer range types. Ada had these in the 80s, yet the Rust guys believe they are unnecessary and openly advocate wrapping integers into a struct to achieve a similar effect.

      Add to this glued-on constructs like the "ref" keyword that means what "&" should mean in certain contexts, but "&" cannot be used because it is already used for something different, and you get the mess that Rust is now at version 1. I don't want to imagine what kind of insanely complex mess Rust is going to be in 10-20 years from now. C++ will be nothing in comparison.

  9. Re:Microsoft lags behind better research by haruchai · · Score: 1

    CompCert provides a formally verified subset of C and has existed since 2008

    AT&T's Cyclone is a bit older than CompCert but appears to have fizzled out 12 years ago
    https://en.wikipedia.org/wiki/...

    --
    Pain is merely failure leaving the body
  10. Re:Hmmm. by rtb61 · · Score: 1

    It's M$ not matter what you check, to pump up this quarters profits according to some dick spreadsheet, if they change what ever they choose to change and it makes it more insecure, they will change it. They have pretty much zero reliability, touting stuff, dumping it when the profitability is not there or there is greater profitability elsewhere, leaving users in the lurch, not a few times but a whole lot of times. What ever it is they are pushing today, will be different in a years time and most often worse for the user. Specifically the more users that pick it up, the worse it becomes, the more M$ dick spreadsheeters think they can leverage it to increase profits and basically bugger the end users. Often end users scream, abandon the product and the M$ abandons it looking for the next lock in scam to leverage.

    They have not been a part of the solution for years, they and their ilk largely are the problem. They will sell your privacy, security and copyright the very second, well actually before they a fully certain they can get away with it, greed pushes them to strike early and as it turns out normally fail. They are an extremely unreliable supplier and not to be trusted.

    --
    Chaos - everything, everywhere, everywhen
  11. Re:Hmmm. by Gadget_Guy · · Score: 1

    Do you know how many compilers Microsoft have written over the years? Can you name a single instance of any one of them producing code that has ever placed a user in legal trouble due to licenses, copyrights or patents?

    Twenty years ago people claimed that Microsoft were going to use submarine patents to slap infringements on people who used their compilers, and yet not one single time has this happened.

  12. Re:Sigh by theweatherelectric · · Score: 3, Informative

    C is already safe

    Is it? Let's have a look at a security analysis of applications written in C on FreeRTOS. It seems like they're riddled with flaws. Saying "just write better code" lacks real world perspective.

  13. I think there are solutions with no runtime hit by Anonymous Coward · · Score: 1

    If I'm reading this right, it's a "smart pointer" and so of course you're going to take a run-time penalty. Languages like Haskell abstract things like array access and are immune from the kind of problem due to a "what you want" as opposed to "how you do it" mentality that C has. I think smart pointers, or anything that imposes a needless run-time penalty are a non-starter. We've got better approaches.

  14. Re:Sigh by Anonymous Coward · · Score: 1

    Someone not capable of writing a totally secure C program isn't going to be able to guarantee a totally secure python program either. It may have less errors.

  15. Loops, for one. by raymorris · · Score: 1

    > Why wouldn't function_that_uses_pointer() protect itself by doing the pointer check internally?

    Because

    for ( x=0; x++; x That way function_that_uses_pointer() wouldn't have to worry about someone remembering to do the check

    If you want to hack together quick scripts without ever thinking about the possibility of either errors occuring, or some item simply not being present, perhaps VBA, Python, or Pascal is for you. C is for systems programmers who already need to be aware that they can't just make assumptions that every system and every situation will be just like the test they ran.

    1. Re:Loops, for one. by theweatherelectric · · Score: 1

      Because

      Your post didn't work very well. There was no because.

      C is for systems programmers who already need to be aware that they can't just make assumptions

      Then why are there so many vulnerabilities in C applications? Seems like there are assumptions aplenty.

    2. Re:Loops, for one. by raymorris · · Score: 4, Informative

      Slashdot ate the because. See:

      https://developers.slashdot.or...

      There are many vulnerabilities in software in every language.
      As it happens, I maintain a database of every CVE ever issued, and part of my job each day is to look at any significant new vulnerabilities published that day. I've learned a couple things about languages and vulnerabilities. Obviously languages that nobody ever uses aren't used in vulnerable software very much - the number of vulnerabilities tracks fairly closely with how much use a language gets. Aside from that obvious fact, there is one more:

      Languages designed to be easy for beginners tend to be used by beginners. Beginners make beginner mistakes.

      There is very little stupid assembly code out there. There's a lot more stupid Python. This is simply because assembly is generally used by peoppe who know WTF they are doing; Python encourages people to make software without knowing what they are doing, which means they make really bad software.

      Probably the worst language I've seen in terms of security was version 4 of PHP. It was really, really dumbed down and frequently used by people who had no clue - on public web sites. The creator of PHP openly and emphatically says he had no idea how to create a good program language, and he's right. He was trying to create a simple blog system, but inflated loops, variables, and conditions, so people started using it as a general purpose programming language for the web.

      You DO have to be careful with C - and C programmers generally know that, and are careful. C is designed to be fast and to be flexible, and *simple* in terms of its built-ins, not to be a safe playground for newbies.

      I fear the language which may be even worse for security than PHP 4 may be Rust. It may really surprise people for me to say that, but programs written in Rust may very well have more serious vulnerabilities than any other language. Why? Because Rust hypes some very basic features to a ridiculous degree, pretending that avoiding oob access magically makes your code secure, and many Rust programmers actually believe that. By far the vast majority of vulnerabilities are logic errors like "goto fail", not buffer overruns. No language can protect you against goto fail and similar oversights.

      By making Rust programmers believe that just uaing Rust makes the software secure, or even meaningfully more likely to be secure, they are lulled into a false sense of security which encourages stupid mistakes. Have you ever seen a Rust program which even I the negative conditions in its unit tests? That's one of the most basic and important things you can do in terms of security. Many Rust fanbois truly believe that using Rust is magic, so they don't even test what happens when someone enters an invalid password, or an empty password, or how about SQL injection in the password? Rust doesn't normally buffer overflow, so no need to think about security, right?

    3. Re:Loops, for one. by theweatherelectric · · Score: 1

      Slashdot ate the because

      No, you just got it wrong.

      There are many vulnerabilities in software in every language.

      Yes, which is why it's important for the language to mitigate that as much as possible. Your mistake while doing something as trivial as a forum post demonstrates the fallibility of the programmer.

      programs written in Rust may very well have more serious vulnerabilities than any other language

      Prove it.

    4. Re:Loops, for one. by Raenex · · Score: 1

      There is very little stupid assembly code out there.

      There is very little assembly code out there, period. But we've seen, going one layer down, that even the experts at Intel can screw up security.

      Probably the worst language I've seen in terms of security was version 4 of PHP.

      Because PHP is an awful language that was heavily inspired by Perl. Gee, it turns out when you make awful design mistakes, it impacts the number of errors! Just like C.

      You DO have to be careful with C - and C programmers generally know that, and are careful.

      Is that why 20% of CVE bugs are for overflow and memory corruption?

      I fear the language which may be even worse for security than PHP 4 may be Rust.

      You've got to be shitting me. Rust will remove a vast swath of the errors that pops up in C all the time. Not only that, it's a difficult language, so by your own standards it will be geared towards more expert usage -- even more expertise than required with C!

      Why? Because Rust hypes some very basic features to a ridiculous degree, pretending that avoiding oob access magically makes your code secure, and many Rust programmers actually believe that.

      I'm sure many, many more aren't so stupid as to believe that all security is taken care of because some areas have been made more secure.

  16. Slashdot ate my post! by raymorris · · Score: 1

    Friggin Slashdot ate my post.

    if ( thegamma = get_gamma() ) {
          for ( y=0; y++; y < pixelheight ) {
                  for ( x=0; x++; x < pixelwidth ) {
                              do_gamma( x, y, thegamma );
                  }
            }
    }

    It's kinda silly to check a million times that thegamma isn't null. Checking once is quite enough.

    I know loops might be a little bit too advanced of a concept for some people, but advanced programmers use them once in a while. :)

    Here's a fun function for you:
    void strcpy(const char *src, char *dest) {
    while (*dest++ = *src++)
                            ;
    }

    Yep, that copies a string.

    1. Re:Slashdot ate my post! by theweatherelectric · · Score: 1

      Friggin Slashdot ate my post

      Whoops. Mistakes like that happening are why allowing assignment in an if test is a bad idea. Too easy to get wrong.

      if ( thegamma = get_gamma() ) {

      Wow, man. So the alternative is an extra line:

      thegamma = get_gamma();
      if (thegamma) {

      Hardly seems inconvenient. You're arguing for a misfeature.

    2. Re:Slashdot ate my post! by raymorris · · Score: 3, Interesting

      You certainly CAN write it in two lines instead of one, sure.
      You asked for an example of where it is convenient.

      As I mentioned, here's the implementation of the string copy library function in C, using some conveniences including assignment returning the value. How would you write this "copy each character" in Pascal?:

      while (*dest++ = *src++);

      I'm going to guess that rather than one line, it'll be about fiveines. Some people prefer not to write five times as much code as needed.

      Personally, I kinda like this habit to not only avoid the error but make it extremely obvious that I haven't done an assignment rather than a comparison:

      if (4 == x)

      By habitually putting the constant on the left side, I'd get a compile error if I accidentally typed = instead of ==.

    3. Re:Slashdot ate my post! by theweatherelectric · · Score: 2

      How would you write this "copy each character" in Pascal?

      Like this: myString := myOtherString;

      C's string handling is nothing to take pride in.

      By habitually putting the constant on the left side, I'd get a compile error if I accidentally typed = instead of ==.

      Pascal doesn't have the problem in the first place.

    4. Re:Slashdot ate my post! by Anonymous Coward · · Score: 1

      FYI: in C++, this is written as:

      if (bool thegamma = get_gamma() ) {

      This makes the intent clear and the variable scope properly limited; it also avoids triggering the compiler warning about suspicious assignment.

    5. Re:Slashdot ate my post! by Teckla · · Score: 1

      Your example may be mildly more convenient when the code is written, but it'll probably be read and maintained lots of times. When it comes to this example, is a teensy tiny bit of code density worth it being harder to read, plus the possibility of a bug (= vs. ==)?

    6. Re:Slashdot ate my post! by gnasher719 · · Score: 2

      Please for the love of god use strncpy.

      Please for the love of god NEVER use strncpy. If your buffer doesn't have enough space, it copies the bytes from source and doesn't write a trailing zero byte, so now you have a trap just waiting to spring on you. It's the worst design possible.

      In addition, calling strncpy() to copy into a buffer of n bytes takes O (n). 5 bytes into a megabyte buffer sets a million bytes to 0.

      Write two helper functions. One that creates a shortened, valid C string if it doesn't fit. One that is guaranteed to crash if it doesn't fit.

    7. Re:Slashdot ate my post! by swilver · · Score: 1

      That just makes code less readable.

    8. Re:Slashdot ate my post! by Zero__Kelvin · · Score: 1

      That isn't the same at all and the fact you think it is proves you don't know enough about either language to comment.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    9. Re:Slashdot ate my post! by raymorris · · Score: 1

      >> As I mentioned, here's the implementation of the string copy library function in C

      > well one, it's better to use a library function like strcpy

      Perhaps you didn't notice where I said that IS strcpy? You can't do this:

      char * strcpy (const char * src, char * dest) {
            return strcpy();
      }

    10. Re:Slashdot ate my post! by theweatherelectric · · Score: 1

      It is the same thing. It's an advantage of Pascal over C, that strings are intrinsic to the language. You really should spend some time learning more languages. Broaden your horizons, my son.

    11. Re:Slashdot ate my post! by Zero__Kelvin · · Score: 1

      Oh, there is a huge difference. I'll give you a couple hints. 1) Where in memory do these strings reside? 2) What happens to the strings when the function reaches the end of it's scope? I know. I know. You literally have no idea what any of that even means. Off you go now ...

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    12. Re:Slashdot ate my post! by theweatherelectric · · Score: 1

      1) Where in memory do these strings reside?

      Stack or heap. It depends on the string type you use.

      What happens to the strings when the function reaches the end of it's scope?

      Strings are reference counted in Pascal. You can dispose of them ahead of time or allow them to fall out of scope. The scope depends on the declaration, not the function. Like I say, you should learn some other languages.

    13. Re:Slashdot ate my post! by Zero__Kelvin · · Score: 1

      At least you finally agree that the two are completely different, even if you are too stupid to know that you just admitted it.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    14. Re:Slashdot ate my post! by theweatherelectric · · Score: 1

      So.. your lame attempt at an insult failed and now you're trying another one?

      I think you're suffering from a kind of Stockholm syndrome. C has mistreated you for so long that you've come to identify with it. C has taken so much of your self-respect that your only outlet is these pathetic rants on internet forums and you can't see that there's something better out there. Worse, C has made you believe that you don't deserve something better. This is sadly typical of all abusive relationships.

      But have hope. There is something better. It's called Pascal.

      Hang in there, kid.

    15. Re:Slashdot ate my post! by theweatherelectric · · Score: 1

      because we loved it

      Oh no. These crazed C cultists have captured you as well. Fortunately, you need suffer no longer. Pascal's out there for you, man. Pascal believes in you. But you've got to believe in you first.

    16. Re:Slashdot ate my post! by Cassini2 · · Score: 1

      Try strlcpy and strlcat. They should be present on most Linux and Mac systems.

      On Microsoft, try StringCchCopy or StringCchCopyEx.

      Microsoft has written a large number of "better" versions of strcpy. Writing your own string functions will result in your code becoming like Microsoft's. Every programing team will have dozens of library functions, all very similar, and most with known security bugs. :-)

    17. Re:Slashdot ate my post! by jeremyp · · Score: 1

      while (*dest++ = *src++);

      Pascal, like most languages has proper string handling, so you'd write: dest := src

      The putting the constant first thing is pretty lame. What if both sides of the comparison are lvalues? In any case, modern C compilers detect the problem and report a warning so you no longer need to care.

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    18. Re:Slashdot ate my post! by mfnickster · · Score: 1

      In addition, calling strncpy() to copy into a buffer of n bytes takes O (n). 5 bytes into a megabyte buffer sets a million bytes to 0.

      That's incorrect.

      Check the man page.

      "If the length of src is less than n, strncpy() writes additional null bytes to dest to ensure that a total of n bytes are written."

      --
      "Slow down, Cowboy! It has been 3 years, 7 months and 26 days since you last successfully posted a comment."
    19. Re:Slashdot ate my post! by serviscope_minor · · Score: 1

      Check the man page.

      I did.

      But apparently I didn't read far enough!

      Looks like I was wrong.

      --
      SJW n. One who posts facts.
  17. Re:Sigh by religionofpeas · · Score: 3, Insightful

    I've been writing C programs for 3 decades, and I have made plenty of mistakes along the way. Occasionally because of using the wrong pointer, but most of them were simply because I got the algorithm wrong. None of these "safe" languages would have prevented the 2nd kind of error.

  18. Switch back to standard C and lose runtime checks by perpenso · · Score: 1

    Well, this isn't quite the same comment, but if the language is compatible with C, or some subset of C, couldn't you compile the "safe version", run your tests, and then, when you were satisfied, compile with standard C? Surely the answers ought to be guaranteed to be the same if there's no error.

    Only for real world inputs that match your test inputs. If you compile with standard C you lose the run time checks, array bounds for example. If these check only have a 1% penalty then for many apps that might be quite acceptable.

  19. Re:Sigh by theweatherelectric · · Score: 1

    No one's arguing a language solves your algorithm problems. But why have security problems in addition to your algorithm problems? As discussed in the presentation, the flaws in these applications were all the "usual suspects". When you keep seeing the same problems again and again it's time to use better tools, including better languages.

  20. Bugs are not just code, some are in design by perpenso · · Score: 2

    Bugs are not always coding errors, bugs may also be in the design and correct code of any language can manifest such design bugs

    1. Re:Bugs are not just code, some are in design by theweatherelectric · · Score: 1

      Of course not, but why have coding problems in addition to design problems? If you want to get your project done you always want fewer problems, not more problems.

    2. Re:Bugs are not just code, some are in design by perpenso · · Score: 1

      The point of my post is that JSF software problems are not necessarily evidence of language based coding difficulties.

      Regarding your question of adding coding problems into the mix, the answer is a common one. Tradeoffs. For performance reasons you may need to use C. There is no universal answer to what language to use, its a matter of best fit, and sometimes that best fit is C. I realize some might argue otherwise, but I've also noticed that many people merely argue for the language they are most familiar with.

  21. And here we go once again by CustomSolvers2 · · Score: 1

    C is fast, but old and "unsafe" (better: difficult-to-master or non-intuitive or attention-demanding). Many other languages are slower, but newer and "safer". Practically speaking, these are the two extreme points of the performance vs. safeness trade-off. You can choose what aspect is more important for you and choose a language accordingly, but you cannot have everything.

    Personally, I think that all these efforts to come up with the new safer version of C should focus on accepting the reality (do you want C-like fast? Use C) rather than aspiring to what doesn't seem possible. What about coming up with ways to ease the communication between C and the given programming language, such that anyone could eventually rely on pure C (or C++) when required? Or even coming up with a friendliness wrapper allowing to rely on whatever programming language to write C (e.g., you create the algorithm in language X and it generates the closer, "safer" version of C).

    --
    Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
  22. Convenient by DrYak · · Score: 1

    it's convenient for functions whose result you want to check before going further.

    e.g. with file operations:

    if (NULL == (in = fopen(filename, "r"))) {
    fprintf(stderr, "cannot open input %s\n", filename); exit(2);
    } /* process input from in */

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  23. Yes, it adds up... by gerald.edward.butler · · Score: 1

    to a whole ms ....

  24. Re:C is not the problem by Anonymous Coward · · Score: 2, Insightful

    > People are so obsessed with wrangling the last ounce of performance out of application programs

    You made coffee come out my nose!

    Have you actually *used* a major application lately? I'd say performance is far down the list.

  25. I actually didn't write glibc, only read it by raymorris · · Score: 1

    > Then you (clearly a C fanboi) writes code like this:
    > while (*dest++ = *src++);

    I actually didn't write the C library. I've written several Perl libraries; you'll find my code in Apache and Solaris, but Roland McGrath wrote glibc.

  26. Priorities are different for Excel macros vs an OS by raymorris · · Score: 1

    > Yes, which is why it's important for the language to mitigate that as much as possible.

    What's important very much depends on what software is being written. In a typical Excel macro, sure go ahead and check the domain of the value each time it is accessed. It'll be ten times as slow as not checking, but one shouldn't expect the project manager to manually check domains in his VBA. It's good and right for VBA to "mitigate it as much as possible".

    In a graphics driver, speed is top priority. It would be a mistake to take ten times as long to execute to "mitigate as much as possible".

    Not everything is a shell script.

  27. Re:Priorities are different for Excel macros vs an by theweatherelectric · · Score: 1

    Not everything is a shell script.

    That's right. Some things, for example, are Pascal programs, which is a better option than C. You should take the time to learn some Pascal. You'll come around to the same opinion.

  28. Learned it 15 years ago by raymorris · · Score: 2

    I learned Pascal 15 years ago. It's an okay language.
    At the time, Pascal was competing with Visual Basic. VB won.

    The world could have chosen Pascal over VB, but they chose VB. In the 1970s, Pascal competed with C. The world chose C.

    Now the industry is going through a phase in which people aren't distinguishing between beginner languages that are designed to be easy vs professional, enterprise-grade tools. Legos are easy, and I good way to learn some basics. You shouldn't build your house out of Legos. The same is true when building information systems. The simplest tools may not be the best things to build your enterprise with.

    1. Re:Learned it 15 years ago by theweatherelectric · · Score: 1

      I learned Pascal 15 years ago.

      Dude, you didn't know how to copy one string to another in Pascal. You didn't learn it.

    2. Re:Learned it 15 years ago by raymorris · · Score: 1

      You seem to have been too busy to read before replying.
      Let's try again:

      --
      the *implementation* of the string copy library function in C, using some conveniences including assignment returning the value. How would you write this "copy each character" in Pascal
      --

      Are you familiar with the difference between IMPLEMENTING a function and CALLING it? You answered with how you would CALL the function.

      Are you familiar with the difference between a character and a string? Just too much in a hurry to read "character by character"? If this isn't clear to you, you can see an actual implementation of Pascal string copy embedded here:

      ftp://ftp.freepascal.org/pub/f...

    3. Re:Learned it 15 years ago by theweatherelectric · · Score: 1

      This is just getting sad now. I can appreciate you're desperate to defend C in an effort to make yourself feel better but you really should learn some other languages. Strings are intrinsic to Pascal. It's one of the reasons it's better than C.

  29. Re:Sigh by angel'o'sphere · · Score: 1

    ... simply because I got the algorithm wrong. None of these "safe" languages would have prevented the 2nd kind of error.
    You don't know that. If you have more brain left to do the algorithm, or do the algorithm first in Python or on paper, you perhaps had avoided the mistake.

    The problem basically is you can only shuffle 7 - 9 topics in your short term memory. That is basically your brains registers. If three of them are occupied by useless low level stuff, only the rest can be used for the algorithm.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  30. Re:C is not the problem by slickwillie · · Score: 1

    About 30 years ago I once remarked to my boss that COBOL would have been a better choice than C for our application. He replied that was probably correct but he would then have to cut our pay in half.

  31. Re:Hmmm. by HiThere · · Score: 1

    If you ask specifically about compilers, I can only think of a couple of instances, and they didn't really end up in court. (In one case that was because Sun sued MS over J++ before the event.)

    If you ask more generally about code produced by MS, there have been lots of instances where the code could only legally be used linked with certain licenses...and it wasn't always clear which ones.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  32. Communicate in your application code by raymorris · · Score: 1

    The communication happens when you CALL strcpy. Inside of glibc, efficiency rules.

  33. When you grow up, you can read it by raymorris · · Score: 1

    Okay, I gave you the link, so when grow up you can read how Pascal is implementing string copy (in Pascal). "Intrinsic" in this respect just means it's included in the built-in library - it still has to be written, silly. The CPU. doesn't have a "copy a Pascal string" opcode, so someone has to write it. That would be guys like me.

    1. Re:When you grow up, you can read it by theweatherelectric · · Score: 1

      That would be guys like me.

      Good god, I hope not. Spend some time learning Pascal. Like I say, you'll come around.

  34. Re:Sigh by Raenex · · Score: 1

    I've been writing C programs for 3 decades, and I have made plenty of mistakes along the way. Occasionally because of using the wrong pointer, but most of them were simply because I got the algorithm wrong.

    Security bugs are typically exploited, and not found in ordinary usage. When you get the algorithm wrong is usually obvious right away.

  35. Implement the function, not call it by raymorris · · Score: 1

    We all know how to CALL a string copy function.
    The discussion is how you would IMPLEMENT a simple function.

    I put the implementation from Free Pascal in another post if you want to see it. It's about 15 lines.

  36. Except it is. Syntactic sugar by raymorris · · Score: 1

    The operator is syntactic sugar around a function call.
    You can see the actual function in the source zip above.

  37. Btw it's also a lot more than an assignment (copy) by raymorris · · Score: 1

    > an assignment operation is not a function call

    What looks like an assignment isn't. An assignment should mean both variables point to the same string.
    It's creating a new string, copying all the data from the source string to the destination, then finally assigning the new string to the destination variable.

    There's a string copy function which accepts the source string as an argument and returns a new string with the data copied from the source.

  38. Fair point. Not in the CPU by raymorris · · Score: 1

    That's a fair point, to the caller it appears analogous.

    To the CPU, they are vastly different. The CPU assigns integers, with a single instruction. Copying a Pascal string is most often hundreds of CPU instructions, there is a function that does that. The String type in Pascal is far more complex than the x bits that comprise an integer. Perhaps most importantly, the variable doesn't hold the value, it's a pointer to memory that is later allocated elsewhere. The function takes the Pascal String type and derefences it to the actual vue in memory, after performing various checks, THEN it asks the CPU to copy a little bit at a time. Contrasted with a pure I assignment, which translates directly to CPU instruction.