What is the new safe C++ and what do programmers need to know?
By ForGeeks Memory security issues are becoming a growing concern for developers. In 2020, Google reported that more than 70% of serious security bugs in the Chrome browser were caused by memory security issues.
Google reported that more than 70% of serious security bugs in the Chrome browser were caused by memory security issues.
«These errors,» explained the Chrome team,&#nbsp;«arise from pointer errors in C or C++ that lead to misinterpretation of memory.»
In 2022, NSA has also joined the discussion, where NSA cybersecurity CTO Neal Ziering noted:
«Memory management problems have been exploited for decades and remain all too common today. Safe programming languages and other safeguards should be used to prevent these vulnerabilities.»
.
Why do you need memory security?
Memory safety has become an important topic of discussion at the highest levels. In February of this year, the U.S. Office of the National Cybersecurity Director (ONCD) published a report recommending that all developers move to memory-safe programming languages. The report emphasizes that the burden of defending against cyberthreats now falls on end users, and entire categories of vulnerabilities proactively address them in software.
The report emphasizes that the burden of defending against cyberthreats now falls on end users, and it is necessary to address entire categories of vulnerabilities proactively.
The document also mentions that experts have identified several programming languages that do not provide memory security but are widely used in mission-critical systems, such as C and C++.
Memory safety issues have become particularly important because of the rise of digital technologies. Pandemic has accelerated the adoption of e-commerce, online payments, and digital advertising, leading to an increase in potential vulnerabilities. Stack Overflow notes that many of the largest security incidents in the past have been specifically related to memory security issues.
A number of the largest security incidents in the past have been related to memory security issues.
These incidents include:
- Heartbleed (2014) – A vulnerability in OpenSSL that allowed attackers to steal X.509 certificates, passwords, messages, and other data.
- WannaCry (2017) – a ransomware attack that affected more than 230,000 computers worldwide.
Moving C++ to a secure future
Languages with built-in memory safety exist, such as Rust, Go, Java, Swift, and Python, but C++ remains under special scrutiny because of the sheer volume of critical code written in it.
Aware of this situation, the C++ community introduced a project called Safe C++ Extensions this September. The initiative is supported by the C++ Alliance, whose president and CEO Vinnie Falco called the project «a revolutionary proposal that adds memory safety features to the C++ programming language.»
«The need for secure code has never been greater,» adds Falco. «With the growing importance of software security and reliability, developers are faced with the need to implement safer coding practices. Safe C++ Extensions aims to prevent common memory-related bugs.»
.
.
Will this fix the problem?”
Skeptics aren’t convinced that the new additions will solve the problem once and for all. Sean Baxter, a developer with the C++ Alliance, notes:
«The only popular system language without a garbage collector that provides strict memory safety is Rust. While C++ and Rust have similar uses, they have different architectures, and limited interoperability makes it difficult to gradually migrate from C++ to Rust.»
.
Safe C++ Extensions offers a number of performance measures, including prohibiting the creation of operations that could lead to errors in object lifetime management, type safety, and thread safety. However, implementing these principles requires considerable effort and time.
Artificial Intelligence Support for Moving to Secure Languages
To simplify migration DARPA is developing a tool based on artificial intelligence called TRACTOR (Translating All C TO Rust) that is designed to automatically translate code into Rust.
The goal of the project is to make the generated code match the style and quality that an experienced Rust developer would achieve. This will help remove a class of memory security vulnerabilities present in C programs.
Rust.
The Future of C++: Toward Greater Security
Safe C++ Extensions are an important step toward making one of the most popular programming languages more secure. But the road to completely eliminating vulnerabilities will be long and laborious. Nevertheless, projects like TRACTOR offer tools for a smoother transition to secure programming, and even if full C++ security is still a goal for the future, developers are already starting to move in that direction.
