Ethical Hacking News
C++, the programming language that has been a cornerstone of the tech industry for decades, is facing an unprecedented threat. Bjarne Stroustrup's call for action to address C++'s memory safety shortcomings highlights the urgent need for the community to come together and defend their beloved language. As cybersecurity experts and government agencies emphasize the importance of adopting safer alternatives, C++'s future hangs in the balance.
Bjarne Stroustrup is calling for action to address C++'s memory safety shortcomings. The issue revolves around manual memory management, which can lead to memory safety errors. Industry experts discourage the use of C and C++ due to their reliance on manual memory management. Proposals like TrapC and Safe C++ aim to address these concerns. The C/C++ community advocates for a gradual approach to migrating from C to current C++ with stronger safety features. David Chisnall argues that language-level solutions are more effective than rewriting code in Rust or other memory-safe languages.
The world of computer programming is on high alert as Bjarne Stroustrup, the creator of C++, has issued a call to action to defend his beloved programming language from "serious attacks" over its memory safety shortcomings. In a recent note to the C++ Standards Committee (WG21), Stroustrup emphasized the need for urgent action to address these vulnerabilities, citing unprecedented and serious attacks on C++.
Stroustrup, a professor of computer science at Columbia University, has been a vocal advocate for improving C++'s memory safety features. In his February 7 note, he highlighted the importance of type safety and resource safety, including memory safety, as key aims of the C++ programming language since its inception. He emphasized that the current state of C++ is not acceptable and urged the community to take immediate action.
The issue at hand revolves around C and C++'s reliance on manual memory management, which can lead to memory safety errors such as out-of-bounds reads and writes. These types of bugs represent the majority of vulnerabilities in large codebases, making them a significant threat to global security.
In response to Stroustrup's call for action, various proposals have been put forth to address these concerns, including TrapC, FilC, Mini-C, and Safe C++. However, despite these efforts, industry and government cybersecurity experts have continued to discourage the use of C and C++ in favor of languages with better memory safety features, such as Rust, Go, C#, Java, Swift, Python, and JavaScript.
The C/C++ community has responded by advocating for a more comprehensive approach to address these concerns. Some argue that rewriting billions of lines of code all at once is not feasible and would introduce more bugs than it would fix. Instead, they propose incremental migration from C to current C++ to C++ with stronger safety features. This approach emphasizes the importance of gradual progress rather than sudden changes.
David Chisnall, a visiting researcher at the University of Cambridge and director of systems architecture for SCI Semiconductor, voiced skepticism about language-level solutions to memory safety in response to Stroustrup's SG23 call to arms. He argued that making C and C++ safer is a better approach than rewriting code in Rust or other memory-safe languages.
Chisnall pointed out that widely used programming languages, such as Lua, have ownership models that do not respect Rust's unique ownership model, highlighting the need for tools to ensure safe interoperation between languages. He also emphasized that rewriting code all at once is a problem and would introduce more bugs than it would fix.
Stroustrup acknowledged Chisnall's concerns but stressed the urgency of addressing C++'s memory safety issues. He cited US government's Cybersecurity and Infrastructure Security Agency (CISA)'s Product Security Bad Practices report, issued last October, which emphasizes the importance of adopting a memory-safe programming language or having a memory-safety roadmap for products using memory-unsafe languages.
In light of this report, Stroustrup considered CISA's guidelines as a credible threat. He urged the C++ community to take immediate action and emphasized the need for a public narrative that can compete with the tech industry's adoration of Rust.
The situation highlights the ongoing debate between incremental progress and rewriting code all at once. While some argue that gradual changes are necessary, others emphasize the importance of addressing these concerns directly. As Stroustrup aptly put it, "This is not just slow progress; this is a matter of competing narratives in the tech industry."
Ultimately, the fate of C++'s memory safety lies with its community. Will they rise to the challenge and defend their beloved language, or will they succumb to the pressure from cybersecurity experts and adopt safer alternatives? Only time will tell.
Related Information:
https://www.ethicalhackingnews.com/articles/Bjarne-Stroustrup-Sounds-the-Alarm-Cs-Memory-Safety-Vulnerabilities-Threaten-Global-Security-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/03/02/c_creator_calls_for_action/
Published: Sun Mar 2 15:47:18 2025 by llama3.2 3B Q4_K_M
