News: 1726517287

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

The empire of C++ strikes back with Safe C++ blueprint

(2024/09/16)


After two years of being beaten with the memory-safety stick, the C++ community has published a proposal to help developers write less vulnerable code.

The [1]Safe C++ Extensions proposal aims to address the vulnerable programming language's Achilles' heel, the challenge of ensuring that code is free of memory safety bugs.

"This is a revolutionary proposal that adds memory safety features to the C++ programming language," Vinnie Falco, president and executive director of the C++ Alliance, [2]said Thursday. "This collaboration marks a significant milestone in the C++ ecosystem, as the need for safe code has never been more pressing."

[3]

It has never been more pressing because for the past two years, private and public sector organizations have been pushing programmers to write new applications and rewrite old ones in memory safe languages such as C#, Go, Java, Python, and Swift, but particularly Rust because it's a performant low-level systems language.

[4]

[5]

Software engineer Alex Gaynor [6]raised the issue back in 2019, noting that the majority of serious vulnerabilities in large codebases come from memory safety flaws such as buffer overflows and use-after-free. "The data bears out, over and over again, that when projects use memory unsafe languages like C and C++ they are burdened by an avalanche of resulting security vulnerabilities," he wrote.

Memory safety subsequently became a common subject of discussion in academic papers and at technical conferences. By September 2022, Microsoft Azure CTO Mark Russinovich called [7]for deprecating C and C++ and adopting Rust.

[8]

A few months later, the NSA [9]took a similar position. By 2023, memory safety had become [10]a mainstream topic , covered by Consumer Reports.

Those involved with C++ became defensive. Two years ago, in response to Russinovich's call to dump C/C++, C++ creator Bjarne Stroustrup told The Register , "We can now achieve guaranteed perfect type and memory safety in ISO C++."

Yet that claim was met with some skepticism. Josh Aas, co-founder and executive director of the Internet Security Research Group (ISRG), which oversees a memory safety initiative called Prossimo, last year [11]told The Register that while it's theoretically possible to write memory-safe C++, that's not happening in real-world scenarios because C++ was not designed from the ground up for memory safety.

[12]

The Safe C++ Extensions proposal aims to address that criticism and to respond to public sector demand for memory safety from the NSA and the other [13]Five Eyes intelligence agencies , the US Cybersecurity and Infrastructure Agency (CISA), [14]the White House , and the [15]DARPA .

[16]The future of software? Imagine a bot, stamping on a human face – forever

[17]Google says replacing C/C++ in firmware with Rust is easy

[18]Security boom is over, with over a third of CISOs reporting flat or falling budgets

[19]LLM-driven C-to-Rust. Not just a good idea, a genie eager to escape

In August, Gaynor revisited the topic of memory safety by noting that while it makes sense to try to make C++ safer, he has doubts about the extent to which that's possible.

"It is clear, I think, that there are substantial safety improvements possible for C++," he [20]wrote . "In particular, entirely solving spatial safety appears to be within reach. Alas, I think it is equally clear that making C++ as safe as Swift or Go or Rust is not something we know how to do, nor does it appear likely that we’ll be able to find a simple solution."

Nonetheless, the Safe C++ Extensions proposal aims to have a go. Acknowledging the now deafening chorus of calls to adopt memory safe programming languages, developers Sean Baxter, creator of the [21]Circle compiler , and Christian Mazakas, from the C++ Alliance, argue that while Rust is only popular systems level programming language without garbage collection that provides rigorous memory safety, migrating C++ code to Rust poses problems.

"Rust lacks function overloading, templates, inheritance and exceptions," they explain in the proposal. "C++ lacks traits, relocation and borrow checking. These discrepancies are responsible for an impedance mismatch when interfacing the two languages. Most code generators for inter-language bindings aren’t able to represent features of one language in terms of the features of another."

Though DARPA is trying to develop better automated C++ to Rust conversion tools, Baxter and Mazakas argue telling veteran C++ developers to learn Rust isn't an answer – a point that a C-focused Linux kernel maintainer [22]made recently .

"The foreignness of Rust for career C++ developers combined with the friction of interop tools makes hardening C++ applications by rewriting critical sections in Rust difficult," they contend. "Why is there no in-language solution to memory safety? Why not a Safe C++?"

The foreignness of Rust ... makes hardening C++ applications by rewriting critical sections in Rust difficult

Baxter told The Register that while generating provably correct programs has been a matter of interest among computer scientists for decades, the issue has been elevated to a national priority.

"Recent government warnings about memory safety have made this a focus for the whole tech industry," said Baxter. "I studied the theory and saw an opportunity, using new tooling, to help C++ engineers write more correct programs and eliminate the class of software defects most implicated in security vulnerabilities."

The Safe C++ project adds new technology for ensuring memory safety, Baxter explained, and isn't just a reiteration of best practices. "Safe C++ prevents users from writing unsound code," he said. "This includes compile-time intelligence like borrow checking to prevent use-after-free bugs and initialization analysis for type safety."

Baxter said that rewriting a project in a different programming language is costly, so the aim here is to make memory safety more accessible by providing the same soundness guarantees as Rust at a lower cost. "With Safe C++, existing code continues to work as always," he explained. "Stakeholders have more control for incrementally opting in to safety."

The next step, Baxter said, involves greater participation from industry to help realize the Safe C++ project.

"The foundations are in: We have fantastic borrow checking and initialization analysis which underpin the soundness guarantees," he said. "The next step is to comprehensively visit all of C++'s features and specify memory-safe versions of them. It's a big effort, but given the importance of reducing C++ security vulnerabilities, it's an effort worth making." ®

Get our [23]Tech Resources



[1] https://safecpp.org/P3390R0.html

[2] https://cppalliance.org/vinnie/2024/09/12/Safe-Cpp-Partnership.html

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zuiqg7ohtnBbGrLsxKYTVAAAAlU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zuiqg7ohtnBbGrLsxKYTVAAAAlU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zuiqg7ohtnBbGrLsxKYTVAAAAlU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://alexgaynor.net/2019/aug/12/introduction-to-memory-unsafety-for-vps-of-engineering/

[7] https://www.theregister.com/2022/09/20/rust_microsoft_c/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zuiqg7ohtnBbGrLsxKYTVAAAAlU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3215760/nsa-releases-guidance-on-how-to-protect-against-software-memory-safety-issues/

[10] https://www.theregister.com/2023/01/26/memory_safety_mainstream/

[11] https://www.theregister.com/2023/01/26/memory_safety_mainstream/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zuiqg7ohtnBbGrLsxKYTVAAAAlU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://www.theregister.com/2023/12/07/memory_correction_five_eyes/

[14] https://www.whitehouse.gov/oncd/briefing-room/2024/02/26/press-release-technical-report/

[15] https://www.theregister.com/2024/08/03/darpa_c_to_rust/

[16] https://www.theregister.com/2024/09/16/the_future_of_software_part_one/

[17] https://www.theregister.com/2024/09/06/google_rust_c_code_language/

[18] https://www.theregister.com/2024/09/05/security_spending_boom_slowing/

[19] https://www.theregister.com/2024/08/12/opinion_column/

[20] https://alexgaynor.net/2024/aug/18/safer-c-plus-plus/

[21] https://github.com/seanbaxter/circle

[22] https://www.theregister.com/2024/09/02/rust_for_linux_maintainer_steps_down/

[23] https://whitepapers.theregister.com/



karlkarl

I look forward to what they come up with. I dislike bindings and and excess dependencies, so Rust is not an option for me personally.

Currently my compromise has always been a "safe" STL alternative that offers runtime safety checking (and overhead) in the debug builds. If I can get access to this stuff at compile time, I am very interested.

matjaggard

I don't quite get the connection between Rust and "bindings and excess dependencies" surely all languages need bindings - do you mean cross-language bindings because you use some other language elsewhere? Similarly, why would Rust mean excess dependencies - I think Crates that compile in and libraries that you link to are also equivalent to things you'd use in C and others?

Paul Crawford

Sounds sensible if you can massively reduce the cost of a re-write.

Even if a "safe" C++ only stops 80% of memory bugs, if they are, say, up to 70% of all key CVE issues (others being logic flaws or hard-coded passwords, etc) then your percentage of memory bugs is down to 31% and your efforts are better spent dealing with other issues of dumbness or lack of testing/fuzzing/etc.

Rust purist might not like it, but those with millions of lines of C/C++ have a better chance of stamping out bugs with a lot less code translation effort.

matjaggard

I'm not sure I'd agree with "a lot" because the hardest thing for me as a C-style language developer to learn was the borrowing of data and variables in Rust. I think you'll basically have to rewrite all the C++ code anyway to make it provably safe.

I'm happy if we have a new Safe C++ language to compete with Rust to keep them going in the right direction, but it's not going to be an order of magnitude easier to learn for a traditional C++ developer.

I've finally found the perfect girl,
I couldn't ask for more,
She's deaf and dumb and over-sexed,
And owns a liquor store.