Exploits and Bugs like WannaCry, Heartbleed, and Zero-Day might seem unrelated and unrealistic at first glance, but all of them share one root cause and that is common in popular coding languages like C and C++.
A report from Motherboard stated that this issue belongs to a category of errors called “memory unsafety,” which exists in decade-old programming languages like C and C++.
what is Memory Unsafety?
Alex Gaynor a software developer from Washington D.C provides an example of a program where there is a list of 10 numbers.
Theoretically, when someone asks for the 11th element, the program is expected to show some sort of an error, or at least that’s what a “memory safe” programming language (like Python or Java) would do.
Also Read– Introduction to C++ Programming
But in the case of memory-unsafe languages like C and C++, the program looks up for the 11th element wherever it is supposed to be or if it existed and surely access its content. This is called a “buffer overflow” vulnerability that is exploited by bugs like HeartBleed.
And this isn’t the only one. There are various types of memory unsafety vulnerabilities with C and C++ such as:
- Type confusion: it mixes up the type of value that exists at a place in memory
- Use after free: it uses a piece of memory even after you are done with it
- Use of uninitialized memory: it uses a piece of memory even before you’ve stored anything on it.
The worst part is that these vulnerabilities are widespread in widely used software such as Firefox, Chrome, Windows, Android, and iOS.
Also Read- Difference Between C and C++
So why are we still using the C and C++?
It’s true that right now we have some new programming languages that are memory safe for example Python, Java, Rust, and Swift. But they are used in a relatively smaller number of projects and software.
Important software projects like OpenSSL, Linux, and the Apache web servers are decades old, and they have grown massively in size over time as well. So, simply rewriting them in a new language is an insanely difficult task to do.
Such huge projects need to be incrementally migrated, but again, it requires a lot of time, money and effort. It also means that radical changes will be required in software development teams across companies around the world — which is another obstacle.
But above all, a major reason is that no aspiring coder or programmer considers the security aspect of a language while choosing a programming language to learn. It isn’t taught by educational institutions either. So keep this in mind.
On the other hand, developers don’t want to deal with it as many of them believe that it’s not the language fault, rather it’s the other engineers who write buggy codes.
Stay tuned for more.
11 thoughts on “C/C++ has major security issues, here’s why you shouldn’t use it”
This is the same excuse I heard over and over again, coming from those who didn’t bother or simply can’t write clean code
C++ is not for developers, is for programmers.
OMG, you gotta be kidding… Try coding the UNIX kernel with Python or Java… Python needs an interprer and Java needs its VM environment. Any serious software application uses at least a few libraries written in C++ or C and there is a good reason for it – performance. Please stop with the bull****. You do need to do more or less manual memory management in C and C++, but this is not the end of the world.
so the fix for what you are saying = if(elementAsked > arraySize) return array; or simply throw exception in C++.
While I do understand the reason behind what you are saying, python, java, as well as other languages, are not as efficient as good old low level programming, basically giving direct access to the processor. Aside from assembler code, these languages are the second best option you have, when it comes down to performance, if you are building a system such as an OS or a micro controller, such as a crane controller or a board computer for a spacecraft.
As much as I love like java and python, I’m 100% sure than they can’t perform these tasks, without being re-made, since it would require instant response and complete control over the hardware, such as “real time access” to resources.
This just goes on to say that the author is BIASED without realizing the design aspects of C / C++. The core design principal of C / C++ is performance and also the fact that YOU have to take care of the memory management rather than some extraneous piece of code you have no control of.
So before making such prejudiced claims, you really need to get your fundamentals right regarding the design philosophy of a programming languages.
As rightly mentioned by Tyke, C / C++ languages are for PROGRAMMERS and not developers.
What are you talking about.. the article is absolute garbage.. the language isnt the problem, shit developers are the problem..
I understand your argument, we have all seen faulty and bad code.
But the way you ignore the fact that these issues are caused by programers and not by language design is just outrageous.
e.g.: type confusion only happens if you misuse std::static_cast or std::reinterpret_cast
So please either correct your “article” so it says that these are languages that are easy to misuse or delete it, either way you should remove “software developer” from your title if you think these are design problems with the languages.
If you want some help or talk about why we the industry uses C++ feel free to contact me.
A C++ dev.
With great power comes great responsibility ….
Next article: Binary has major security issues; 0s and 1s don’t correct human error.