News: 1731088872

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

The US government wants developers to stop using C and C++

(2024/11/08)


Opinion I must be a glutton for punishment. Not only was my first programming language IBM 360 Assembler, my second language was C. Programming anything in them wasn't easy. Programming safely in either is much harder.

So when the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI announced they were doubling down on their efforts to persuade software manufacturers to abandon "memory-unsafe" programming languages such as C and C++, it came as no surprise.

Is it time to retire C and C++ for Rust in new programs? [1]READ MORE

The report on [2]Product Security Bad Practices warns software manufacturers about developing "new product lines for use in service of critical infrastructure or [national critical functions] NCFs in a memory-unsafe language (eg, C or C++) where there are readily available alternative memory-safe languages that could be used is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety."

In short, don't use C or C++. Yeah, that's going to happen.

If this sounds familiar, it's because CISA has been preaching on this point for years. Earlier in 2024, CISA, along with partner agencies including the FBI, Australian Signals Directorate's Australian Cyber Security Centre, and the Canadian Centre for Cyber Security, aka the Five Eyes, published a report, [3]Exploring Memory Safety in Critical Open Source Projects , which analyzed 172 critical open source projects. The findings revealed that over half of these projects contain code written in memory-unsafe languages, accounting for 55 percent of the total lines of code across the examined projects.

[4]

Specifically, "Memory-unsafe languages require developers to properly manage memory use and allocation. Mistakes, which inevitably occur, can result in memory-safety vulnerabilities such as buffer overflows and use after free. Successful exploitation of these types of vulnerabilities can allow adversaries to take control of software, systems, and data."

[5]

[6]

Tell us something we didn't know.

CISA continued that memory safety vulnerabilities account for 70 percent of security vulnerabilities. To address this concern, CISA recommends that developers transition to memory-safe programming languages such as Rust, Java, C#, Go, Python, and Swift. These languages incorporate built-in protections against common memory-related errors, making them more secure from the code up.

[7]

Sounds good, doesn't it?

If only it were that easy to snap your fingers and magically transform your code base from C to Rust. Spoiler alert: It's not.

Take [8]Rust in Linux , for example. Even with support from Linux's creator, Linus Torvalds, Rust is moving into Linux at a snail's pace.

[9]

The problem is, as Torvalds said at Open Source Summit Europe 2024, "The whole [10]Rust versus C discussion has taken almost religious overtones" with harsh arguments that have led to one [11]Rust in Linux maintainer throwing up his hands in disgust and walking away . You see, people who've spent years and sometimes decades mastering C don't want to master the very different Rust. They don't see the point. After all, they can write memory-safe code in C, so why can't you?

Keep calm and learn Rust: We'll be seeing a lot more of the language in Linux very soon [12]READ MORE

Well, because they don't have those years of experience, for one thing.

It's more than just old, grumpy developers. Converting existing large codebases to memory-safe languages can be an enormous undertaking. It's time-consuming, resource-intensive, requires careful planning to maintain functionality, and, frankly, it's a pain in the rump.

Another problem is that memory-safe languages may introduce performance slowdowns compared to C and C++. There's a reason we're still using these decades-old, difficult languages; with them, developers can produce the fastest programs. Given a choice between speed and security, programmers and the companies that employ them go for the fastest code every time.

Besides the sheer migration cost, companies also face the expense of replacing existing development tools, debuggers, and testing frameworks to support the new languages. Then, of course, they're integrating the new programs with the old code and libraries.

The CISA is insisting that this be done. Or, at the least, companies must come up with roadmaps for moving their existing codebases by January 1st, 2026. The CISA argues that the long-term benefits in terms of reduced vulnerabilities and improved security outweigh the initial investment.

[13]The open secret of open washing – why companies pretend to be open source

[14]Intel's processor failures: A cautionary tale of business vs engineering

[15]The graying open source community needs fresh blood

[16]Windows: Insecure by design

I know businesses. They're not going to buy this argument. In the modern corporate world, it's all about maximizing the profits for the next quarter. Spending money today to save money in 2027? It's not going to happen.

Eventually, painfully, slowly, we'll move to memory-safe languages. It really is a good idea. Personally, though, I don't expect it to happen this decade. In the 2030s? Yes, 2020s? No.

Neither businesses nor programmers have sufficient reason to make the jump. Sorry, CISA, that's just the way it is. ®

Get our [17]Tech Resources



[1] https://www.theregister.com/2022/09/28/is_it_time_to_retire_c/

[2] https://www.cisa.gov/resources-tools/resources/product-security-bad-practices

[3] https://www.theregister.com/2024/06/28/cisa_open_source/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zy6YGiqfLBQIO550D_8LjAAAAQo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zy6YGiqfLBQIO550D_8LjAAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zy6YGiqfLBQIO550D_8LjAAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zy6YGiqfLBQIO550D_8LjAAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2022/12/09/linux_kernel_61_column/

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zy6YGiqfLBQIO550D_8LjAAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[10] https://www.theregister.com/2024/09/19/torvalds_talks_rust_in_linux/

[11] https://www.theregister.com/2024/09/02/rust_for_linux_maintainer_steps_down/

[12] https://www.theregister.com/2021/11/10/where_rust_fits_into_linux/

[13] https://www.theregister.com/2024/10/25/opinion_open_washing/

[14] https://www.theregister.com/2024/08/09/opinion_column_intel/

[15] https://www.theregister.com/2024/07/15/opinion_open_source_attract_devs/

[16] https://www.theregister.com/2024/06/28/windows_insecure_by_design/

[17] https://whitepapers.theregister.com/



It's not the language, it's just the way it's "talking"

Version 1.0

Years ago after talking with the US Cybersecurity and Infrastructure Security Agency after our applications were being used by a few military medical labs we removed all access to Microsoft DLL and Windows features, returning to the original environment of just writing internal code irrelevant to any operating system "features" - they were happy and approved everything and ever since then I've had nothing hacked.

Basically I don't see the language as the problem, it's normally just the way the code is written to access any external environment "features" (aka problems too often).

Re: It's not the language, it's just the way it's "talking"

Claptrap314

The problem with making things idiot proof is that we keep getting better idiots.

The fact that rust has this "unsafe" directive (or what ever it is called) means that the language designers absolutely know that the language cannot do what people want to do with in in a memory-safe manner. The claim that reasoning about unsafe behavior can be limited to these blocks is farcical. If you want to argue otherwise, pass your mathematics prelims & get back to me.

There are plenty of reasons to avoid C++. And, for many applications C. But using memory safety as the reason to switch to a language which proponents claim is safe when it is plainly not? Pull the other one.

No, of course I've no idea if this remotely resembles the actual syntax used...

Michael Strorm

#BEGIN UNSAFE BLOCK

.

.

(your entire Rusty program here)

.

.

#END UNSAFE BLOCK

Problem solved, and CISA are happy you've used their approved language!

Re: No, of course I've no idea if this remotely resembles the actual syntax used...

Ian Mason

It might just be a bit easier to:

#pragma pretend-to-be-rust=on

int main ()

....

return 0;

#pragma pretend-to-be-rust=off

Re: No, of course I've no idea if this remotely resembles the actual syntax used...

ChoHag

ON ERROR RESUME NEXT;

Re: No, of course I've no idea if this remotely resembles the actual syntax used...

Anonymous Coward

I remember when the US DoD was ADA ON EVERYTHING

There was a missile guidance system that was "written in Ada" that just called a C routine that never returned.

"It's compliant!"

What is old is new again

Someone Else

I agree, AC. I was part of the military-software complex during the time that the DoD "insisted" that all new projects were to be done in Ada. (Never mind that Ada was, much like Rust is now, a language under development, and oh, what a mess Ada 3.0 became...but I digress.) Contractors would dutifully come back with bids that were some 3-5 times higher (and 2 to 3 times longer) than the original ones, and the DoD suddenly came up with a "waiver program" that would allow said contractors to develop the code as they originally would have.

Expect to see this lather, rinse, repeat cycle replayed in all its capitalist glory under CISA's latest fiat.

Just who do they think they are...tRump?

Re: CISA may well be for the chop

Anonymous Coward

Under Trump V2.0

JUst make all your apps supplied to the US Gov do two things.

1) Play the Jan 6th anthem on startup

2) Start every message with 'Trump is God'

And you will be safe... for the time being, as long as you are a White Male, born in the lower 48.

Is this a bandwagon I see before me?

Will Godfrey

... and do those wheels look just a wee bit wobbly?

Re: Is this a bandwagon I see before me?

MatthewSt

No... Just Rusty

Re: Is this a bandwagon I see before me?

Michael Strorm

We need a "Ba Dum Tsssscchh" icon.

Which language do you think is used to implement all those memory-safe languages?

mtrantalainen

All the listed memory-safe language examples are itself implemented in C or C++. This is because historically C and C++ have been the only languages that had good enough performance to implement the runtime engine. Nowadays we have Rust and Zig and it's still too early to say if Zig is safe enough in practice. Rust is safe enough but it's harder language to use than C and C++. I personally feel that Rust was much easier language to understand than Haskell so it's definitely not impossible language to learn. And even vanilla Rust cannot handle out-of-memory situation gracefully – the default implementation simply kills the whole program. Sure, it avoids having remove code execution but still allows for DoS problems.

Re: Which language do you think is used to implement all those memory-safe languages?

mevets

Go is written in Go.

The early ones were bootstrapped in C; just like C was boot strapped in machine code.

Re: Which language do you think is used to implement all those memory-safe languages?

Ian Mason

C was bootstrapped using its predecessor B, which itself was bootstraped via TMG (TransMoGrifiers - a compiler generator). C was not bootstrapped in machine code, or even assembler.

Re: Which language do you think is used to implement all those memory-safe languages?

Dinanziame

I personally feel that Rust was much easier language to understand than Haskell

Wow low bar

Stop with the useless A better than B crap

b0llchit

The programming language you use is the right one for the task at hand. That can be any language, be it, to name a few, C, C++, Rust, Java, Python, C# or Assembly. You need to know which tool to use for the project or task. Finding that out is part of being a programmer.

You need a real programmer, regardless of the language used. You need to learn any language and need to create to become experienced. All programmers need supervision and all programmers need to supervise. That is how you learn and improve to the expertise level of the language at hand.

Re: Stop with the useless A better than B crap

SammyB

If I had them, I would give you 10 thumbs up, as it is you get 2.

Re: Stop with the useless A better than B crap

Someone Else

That can be any language, be it, to name a few, C, C++, Rust, Java, Python, C# or Assembly.

But specifically excludes APL.

And probably that thing called "sappeur", which likely is even less mature than Rust, and except for one particular commentard, has never been heard of, much less used, in any commercial project, ever, anywhere.

Why?

Chris Gray 1

Can someone give me a summary of just what about Rust is causing the translation problems? Likely there are multiple reasons. I don't think I've seen a summary of what the issues are. Yes, Rust has a different syntax. But seriously, that can be overcome. Is it the semantics of borrowing?

I've written stuff in several different assemblers (thousands of lines in IBM-370), C, Lisp, Basic, Forth, AlgolW, Pascal, Fortran, a bunch of my own languages, and likely some I've forgotten. Many of those don't have pointer-like things so you can't do stuff you'd want. Is that the main issue? Is it how borrowing works?

(I've written a memory safe compiler with restricted pointers, structs, safe unions, allocated records, arrays, etc. etc. If I can get it to full maturity, would something like that work? See http://www.graysage.com/Zed/New . I'm close to finished doing all the hacks in Elf .o files to match gcc/ld's desires.)

Re: Why?

Paul Crawford

Can someone give me a summary of just what about Rust is causing the translation problems?

Effort. Which in turn requires time and resources to train staff and to translate/replicate existing code and potentially maintain duplicate, etc. And that has a significant cost attached to it that is often not granted as generally customers demand fast & cheap.

I'm not saying memory-safe is a bad goal, it is clearly very good, but sometimes it is going to be easier to slap an AppArmour profile around some existing code than to re-write in a safer language and then have to debug the new bugs, etc.

Re: Why?

Gene Cash

Another problem is learning Rust in today's Rust community.

You ask noob questions because you're a noob, and you get told you're an idiot, instead of being pointed to a FAQ, documentation, or given helpful advice.

Or you ask "is this the right way to do it?" and the same thing happens.

I heard about Rust, went to the forums and saw that, and that's as far as it went.

Re: Why?

thames

The issue is that to convert a C program to a "proper" Rust program you have to approach a lot of things in a different way. Rust is not simply C with different key words.

If you want an analogy, then if you've done much Python programming you have probably seen Python programs that were either directly translated from C or Java, or written by people familiar with C or Java and are just writing their Python program the same way they write a C or Java program. This is a well known phenomenon in Python and is immediately recognizable by people with experience with the language. The end result is something very verbose and slow because the Python language is being used in ways it was never meant to be in order to make it work like a different language.

With C and Rust, there have been multiple machine translation projects, including AI based, but the results have been very disappointing. You simply end up with a C program that is written in Rust rather than a "proper" Rust program, and you probably haven't made much if any use of the memory safety features which you were converting to Rust for. So why bother?

The answer would seem to come down to either completely replacing all existing C and C++ programs with ones written in other language (like that's ever going to happen), or else address the problem in a different way, one that nobody has really come up with yet.

Re: Why?

Chris Gray 1

Thank you.

There have been attempts in the past to make a "safe C", but I haven't been tracking them. My guess is that they don't have answers for some of the "creative" things that C programmers know how to do, and will continue to do until stopped. :/)

In many ways, my Zed language is a followon to C. Most of the things you can do in C, a privileged Zed programmer can do. But you can also do safe things with slightly different techniques. For example my '@' values are much like C++ refs, but are explicit, not implicit, so programmers are less likely to mess things up (although many will complain about the extra character).

Similarly, I use the 'nonNil' concept to let many runtime checks for NULL be omitted. (Note: there was a previous language that used the word "nonNil" for something quite different.) This also clarifies the requirements on parameters, etc.

As for bounds checking, I've got some simple "constraints" that the semantic code can identify and thus inform code generators that some runtime bounds checks are not needed. Part of doing that is that the iterator variable of a 'for' loop is 'con', i.e. not writeable. If your C "for" loop is actually a "while" loop, then just rewrite it as a 'while' loop.

Also, Zed 'enum' values are guaranteed to be in-range, so their use in 'case' constructs, as array indexes, etc. does not require extra checking (checking is done when arithmetic is done on them). Zed has 'oneof' types that are like C "enum" types.

Switching to using this stuff, and more, does take effort - I've done some of it when I translated my initial C parser to Zed, but if management demands it, its not going to kill you, so long as time is budgeted. You can even do a bunch of prep work in C (like the "for' loop stuff), checking that your program keeps working. For 'nonNil', you could add asserts at the start of functions where you want one or more parameters to always be non-NULL.

Re: Why?

Michael Strorm

> So why bother?

Because someone required you to write it in Rust, and doing so lets you tick that box?

Re: Why?

Richard 12

Rust is both incomplete and unstable.

There exactly one implementation, and there is no standard, or even specification - so there cannot be another implementation.

That doesn't mean it's bad. It means it is not ready .

There are some design decisions that mean it cannot replace C or C++.

1) It cannot replace C because it only supports static linking. All external interfaces are C .

2) Rust cannot ever replace C++, and trying is horrifically unsafe, because it has no inheritance. Anyone claiming you can do that does not understand either language - this was never a goal.

Given another decade, Rust may fix the stability and dynamic linking issues.

Given another decade, C++ will be provably safer than Rust.

Anonymous Coward

Well, until the RedoxOS project is mature enough to be viable as an OS, the US government is going to be stuck with C just like the rest of the industry.

Is the US government even helping to fund RedoxOS? Or are they just too busy writing statements telling other people to use an immature language platform.

Re: Stop with the useless A better than B crap

alain williams

All programmers need supervision and all programmers need to supervise.

Supervisors or rather managers are part of the problem that is all too often forgotten. Many were never programmers and so do not understand what makes a good environment to program; or of they do their own managers will not let them do the right thing.

A large part of the problem is budgets and timescales. Managers want programs produced in as short a time as possible and as cheaply as possible. The result is that proper design and documentation is not done, testing is skimped.

Some of that is understandable in a competitive environment: if Microsoft had ensured that its products were properly tested someone else would have beaten them to market and they would not be where they are today.

Re: Stop with the useless A better than B crap

Paul Crawford

if Microsoft had ensured that its products were properly tested someone else would have beaten them to market and they would not be where they are today.

Oh if only!

Re: Stop with the useless A better than B crap

Anonymous Coward

@Alain_Williams

Quote: "....Managers want programs produced in as short a time as possible and as cheaply as possible....."

Ah yes:

(1) Keep the PRODUCER COST as low as possible.....

(2) ...and export the problems (and the COST of those problems)...to the customer!!

Fantastic plan!! Keep up the good work!!

Re: Stop with the useless A better than B crap

Ian Mason

As any engineer will tell any manager "Products can be had good, cheaply, safe, or soon. Now pick which two out of those four that you want because it is not possible to have all four."

Re: Stop with the useless A better than B crap

b0llchit

You missed the point. Supervising programmers is not about managing them.

A supervising programmer is looking at the code. Just like programmers must accept that other programmers supervise them. It is also called peer review , except that there is an implicit educational purpose to the setup. A novice is not a real "peer", but will become one in due time when you all accept the learning curve.

'Memory safe'

rgjnk

Shame about the horrible horrible things some of these languages do to achieve their 'safety' or easy of use. Plus the inevitable bloat.

I use all sorts for all kinds of things but don't try to tell me some of these options are inherently better because they made a different compromise on one feature and should become the One True Path.

It's not like most of the advocates are actually going to churn out better code even after the swap, they'll just have a different flavor of problem while nanny guides them away from a particular type of careless error. GIT issue lists are stuffed full of the evidence that language choice != better code.

Heh

Anonymous Coward

In my glorious place of employment it's not even possible to move from C to C++ified C (replacing buffers and linked lists with strings and vectors and printfs with formats). The first step of modifying the toolchain to compile using the C++ compiler instead of C compiler and the minimum amount of code which trips up the C++ compiler is still as far away as it ever was. If that can't be done then Rust is just not happening and I don't suppose my employer particularly special. If an end client isn't paying for it they just don't want to know.

Re: Heh

Richard 12

Which is why the real way to improve safety is to continue improving the safety of existing languages.

That way, existing codebases can slowly transition to the "safe" subset, one function, one class, one subsystem at a time.

New languages are exciting and fun, but rewriting an entire something in a new language is almost always an incredibly bad idea. It's expensive, time consuming and absolutely certain to introduce errors.

Which also means writing a new application in a new language is very risky - if Rust gets replaced by Zig* next year, all your Rusty stuff needs rewriting...

*I have no idea how Zig compares to Rust

There is one way to make businesses adapt...

chuckufarley

...Just stop paying they to produce crap. They can't have a bottom line if they can't find the bottom.

But, but, but...

Michael Hoffmann

... going by my various video feeds and incoming article alerts, it's all Zig, all the time, now!

Don't these guys keep up with the cool kids(tm)?

Anonymous Coward

This doesn't bother me. I code in HTML.

the spectacularly refined chap

Oh hi Lottie Dexter, I always wondered what happened to you after the Year of Code.

(Search for the details if you can't remember them, in brief she was the figurehead for a government coding initiative who couldn't code and failed to appreciate what the term meant.)

FORTUNE EXPLAINS WHAT JOB REVIEW CATCH PHRASES MEAN: #1
skilled oral communicator:
Mumbles inaudibly when attempting to speak. Talks to self.
Argues with self. Loses these arguments.

skilled written communicator:
Scribbles well. Memos are invariable illegible, except for
the portions that attribute recent failures to someone else.

growth potential:
With proper guidance, periodic counselling, and remedial training,
the reviewee may, given enough time and close supervision, meet
the minimum requirements expected of him by the company.

key company figure:
Serves as the perfect counter example.