Father of C++: Memory-safe languages ​​like Rust are no better than C++

Produced | OSC Open Source Community (ID: oschina2013)

After the US National Security Agency (NSA) recommended that organizations switch from C/C++ to memory-safe languages ​​such as C#, Rust, Go, Java, Ruby, or Swift. The father of C++, Bjarne Stroustrup, responded that, in his opinion, the “safe” programming languages ​​mentioned in the NSA report are not actually superior to C++ for important applications.

Bjarne pointed out that the NSA’s decision ignores more than three decades of progress in C/C++; and many use cases for C++ also stay in the distant past and ignore improvements, including methods that greatly improve security.

Now, if I thought that any of these “safe” languages ​​were superior to C++ in the range of uses I cared about, I wouldn’t think the fading out of C/C++ was a bad thing, but it’s not. Also, “safety”, as described, is limited to memory safety, ignoring the dozen or so other ways a language could (and will) be used to violate some form of safety and security.

Bjarne said that he has been working for decades to achieve a better, safer, and more efficient C++. In particular, the work on the C++ Core Guidelines aims to provide statically guaranteed type-safe and resource-safe C++ to those who need it. A good static analyzer that complies with the C++ Core Guidelines can provide the necessary guarantees for C++ code safety and is much simpler than upgrading to a newer safe programming language.

He criticized the NSA report for focusing only on memory-handling issues while ignoring many other programming language issues that affect the safety and reliability of the program. And it is recommended to use code annotations and compiler options to control the inclusion of rules to ensure that types and resources are handled safely. Given the potential damage to the project, he assured the C++ community that security issues are not ignored, but neither is security alone. So he plans to create a list of issues that can be considered security issues (including UB) and find ways to prevent them.

Furthermore, Bjarne added in a recent email communication with InfoWorld, “Too many people talk about the mythical C/C++ language, only to focus on the weaknesses of the C part. Many of these weaknesses are avoidable in C++, usually A programmer’s intent can be expressed more directly by writing more efficient code”.

In the email, Bjarne also shared his definition of security: the goal is type and resource safety, that is, each object is used according to its type, and there is no resource leakage. For C++, this means some runtime range checking, eliminating access through dangling pointers, and avoiding misuse of casts and unions. C++ provides high-level tools such as containers, spans, range-for loops, and variants that provide guarantees without compromising productivity or efficiency. Regarding the so-called safe languages ​​cited by the NSA, Bjarne said that all of these languages ​​are vulnerable to code that has not been statically verified. Additionally, every system must use hardware, and valid hardware access is rarely secure.

Bjarne also outlines his strategy for using C++ safely:

• Static analysis to verify that no unsafe code is executed.

• Coding rules that simplify code, making industrial-scale static analysis feasible.

• Libraries that make such simplified code fairly easy to write and ensure runtime checks when needed.

There are millions of C++ programmers and billions of lines of C++ code, and major current uses of the language include aerospace, medical instrumentation, artificial intelligence/machine learning, biomedicine, high-energy physics, and more.

The text and pictures in this article are from the OSC open source community