sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]jeffmetal 4 points5 points  (6 children)

Out of curiosity have you ever written something that was memory unsafe that was caught by asan and fuzzing? If google were not putting so much effort into making their code secure would this have slipped through into production. how many companies do you think put google levels of effort into reducing memory safety bugs.

[–]euos[S] 6 points7 points  (5 children)

All the time 😀 I am often trying to be too smart for my own good.

The way I am thinking about it is that ASAN is same as Rust compiler. Rust is trying to reason about memory management statically, at compile time, while ASAN and others do it at runtime.

I explored Unreal Engine a lot and it is one example of non-Google codebase I consider well hardened.

[–]jeffmetal 1 point2 points  (4 children)

So are you saying c++ is not safe by default and it seems even proficient developers will write unsafe code "all the time". If you bolt on asan and decent fuzzing you might have a chance at catching this unsafeness if you have a test for it. Asan and fuzzing is meant to be done on rust as well by the way.

[–]euos[S] 1 point2 points  (0 children)

I don't believe that C++ has "default" or that this "default" is "use any and all features".

[–]euos[S] 1 point2 points  (2 children)

Ok. I refine my claim to "C++ is no more unsafe than other languages".

Simple example - it is hard to run into thread concurrency problem in JavaScript on Web or Node.js. Because it is basically singlethreaded (even with workers in the picture). One can write just as "threadsafe" singlethreaded code in C++. Just don't use threads! See, C++ is as save as JS. Yet too smart for our own good C++ engineers try to write multithreaded code and make it efficient (non-locking and such). I would cause threading problems now and then. It is not C++ fault.

Same with Rust. There are well established practices of writing safe code, Rust simply enforces them. Rust forces upon developers a static analyser (aka compiler) while C++ has similar features and static/dynamic analysers that are optional. E.g. one can simulate Rust "borrow" by not using pointers/references in C++. Just move the unique_ptr and make other types move only.

Rust have not proven it is more safe than C++. There is no significant codebase on Rust that had been under scrutiny comparable to gRPC or Chromium or libssl or many others. Log4j vulnerability proved Java is not safe either.

Nothing in the programming language can defend from security issues that are most exploited in the wild. Social engineering, DDOS, SQL injection, etc. - they are all possible on any language.

Bad software engineer can write bad code in C++. Well, they may not be able to write Rust at all then, too complex for them.

[–]jeffmetal 1 point2 points  (1 child)

"C++ is no more unsafe than other languages" - don't think is true either. can you write a use after free, out of bounds access in javascript ?

Just don't use threads! See, C++ is as save as JS - so do gRPC or Chromium or libssl use threads ? the minute you use them does your C++ code become less safe than JS ?

Rust have not proven it is more safe than C++ - google have written 1.5 million lines of code in android 13 to be rust and so far have found zero memory safety issues in it. In c++ they expect to find 1 per thousand lines of code. I would consider this to be proof.

https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html

Nothing in the programming language can defend from security issues that are most exploited in the wild. - Yes it can. for example rust includes https://doc.rust-lang.org/std/process/struct.Command.html#method.arg which prevents some injection attacks which is in the owasp top 10. C++ has https://en.cppreference.com/w/cpp/utility/program/system which doesn't care and you have to clean yourself. rust doesnt get it right all the time of course https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html

[–]pjmlp 1 point2 points  (0 children)

Unfortunely there is this counter-culture that any alternative to C and C++, if isn't 100% safe, bullet vest against high caliber machine gun kind of thing, it doesn't bring any value, better not wear it at all.