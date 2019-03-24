from the C++,-CVE dept.
Herb Sutter has an interesting article on his blog about approaches to improve security in C++ and modifying the language to assist with stopping programming errors that lead to exploits.
https://herbsutter.com/2024/03/11/safety-in-context/
There are two interesting insights. Firstly. most CVEs come from issues that could be dealt with with small changes to C++ that are being proposed.
The second is that even coding in languages with automatic memory allocation can still have massive vulnerabilties. Even code written in Rust has vulnerabilities so the language alone is not the whole problem.
In that context, I'll focus on C++ and try to:
- highlight what needs attention (what C++'s problem "is"), and how we can get there by building on solutions already underway;
- address some common misconceptions (what C++'s problem "isn't"), including practical considerations of MSLs; and
- leave a call to action for programmers using all languages.
tl;dr: I don't want C++ to limit what I can express efficiently. I just want C++ to let me enforce our already-well-known safety rules and best practices by default, and make me opt out explicitly if that's what I want. Then I can still use fully modern C++... just nicer.
(Score: 4, Interesting) by Azuma Hazuki on Thursday March 21, @01:17AM (10 children)
As of about a month ago I started teaching myself C++ and Qt (already have a front-end that plays SNES SPC music dumps with GStreamer!) but have bee wondering exactly how safe this is. The Qt examples don't use std::uniqueptr or anything...
I am "that girl" your mother warned you about...
(Score: 5, Informative) by loonycyborg on Thursday March 21, @01:56AM
Qt predates smart pointers in C++ std, they have own lifetime management ways. Even if they pass around raw pointers, most objects form hierarchical structures that could be cleaned up all at once without bothering with delete on particular subobjects. See here: https://doc.qt.io/qt-6/objecttrees.html [doc.qt.io] .
(Score: 5, Informative) by stormreaver on Thursday March 21, @02:06AM
Qt has its own counterparts to the C++ standard library because there was too little standardization among C++ compilers *cough Microsoft* in the early years. Qt has excellent memory management, so you'll be fine.
(Score: 3, Interesting) by crafoo on Thursday March 21, @05:06AM
qt and c++ is a winning combination. check out their coding guidelines. it's actually useful for Qt users as you can see the pragmatic thought process for designing the interface. If you're handling their gstreamer interface without issues then you're going to be alright.
(Score: 4, Insightful) by Mojibake Tengu on Thursday March 21, @12:04PM (2 children)
If you mean to take C++ serious, I strongly recommend focus on std library. And C++ 20/23 these days.
Use https://en.cppreference.com/w/cpp [cppreference.com] often.
Qt is nice but marginal and divergent project. Overall stability of Qt applications is not as impressive as it should be, including whole KDE desktop.
Historically, at the beginning, the original author of Qt even rejected to use C++ templates, a fresh technology of the days, since he argued those are only fancy macros. His words. That was some time before TrollTech was established.
The company changed the strategy later but the political divergence is still prevalent, making Qt itself a niche.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 5, Interesting) by stormreaver on Thursday March 21, @01:17PM (1 child)
Qt's replacements for the C++ standard library are much more programmer-friendly, and C++ has no GUI support. Mixing the standard library with Qt's GUI system is painful to say the least, which is why Trolltech made its own.
The only downside to Qt is that it doesn't give a single rat's ass for backward compatibility; which is why, after many years of development with it, I abandoned it and returned to Java. Qt has broken backward compatibility in a major way at least twice, and the average human lifespan is too short to rewrite everything every time the API breaks. I've had to resort to virtual machines to keep my old Qt software working.
(Score: 2) by Mojibake Tengu on Thursday March 21, @07:16PM
I had identical experience but took my lesson quickly and threw away all of my Qt based code at Qt3/Qt4 transition epoch.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 5, Insightful) by Unixnut on Thursday March 21, @12:23PM (1 child)
Similar to me. After years of Perl and Python programming I decided to learn a more performant compiled language, and decided upon C++ (ignoring what C embedded work I did decades ago).
I got "The C++ Programming language" book written by Stroustrup which I am reading. It is a dry book (almost 1400 pages), possibly the second or third driest book I've ever read, but it does go into the details of C++, as well as best practices and recommendations for making the best use of the language.
From what I've read so far, it does seem that best practices will ensure that your code is not vulnerable. It seems a lot of mistakes and problems happen when people (C programmers) learn C++ and basically mix and match C and C++ (e.g. fiddling with pointers when no longer necessary and mixing C primitives with C++).
The modern C++ is no longer "C with classes", but it many ways has become its own language, just with the power to really do amazing things if you delve deep down (with the ability to blow your foot off if you get it wrong).
For most application programming however, if you stick to the recommended practices and libraries I see nothing inherently dangerous about the language. So far I am enjoying learning about it, and applying it in those places where I need better performance.
As for QT, I have heard good things about it, however so far I have not investigated it further. My experience with QT apps is generally they seem bloated. Pulling in loads of libraries for simple applications. If I wanted to write a GUI app then perhaps, but even then I may just use WXWidgets as it is more lightweight.
(Score: 3, Interesting) by Freeman on Thursday March 21, @02:41PM
I've not used C++ since I used it in the GUI programming class I took in college. I have however used C# and Python. C# seemed to be quite usable and is probably a better choice than Python, especially when the main OS I'm using it for is Windows. I've settled on Python for a lot of my data manipulation partly due to the fact that pymarc is a thing and I just like Python's ethos. Nothing that I'm doing is mission critical for anyone except for myself. Which just makes me my own worst enemy for whatever I choose to do.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by pvanhoof on Friday March 22, @03:49PM
The equivalent for std::unique_ptr in C++ is QScopedPointer. Using std::unique_ptr with Qt, however, works fine (and you can consider QScopedPointer deprecated).
Similarly you have std::shared_ptr which in Qt exists as QSharedPointer.
Something I have not found a equivalent for in std is QPointer which is somewhat like what a std::weak_ptr is for a std::shared_ptr but then for QObject and without the need to be a std::shared_ptr or QSharedPointer. It internally makes use of QObject::deleted signal to know when the QPointer must start letting its QPointer::data() return nullptr.
With Qt6 the process has started to migrate away from those Qt types. The preference (also among Qt developers like myself) is to start using std types. Examples of types you shouldn't use for new code are QVector, QSharedPointer, QScopedPointer, QList, QQueue, QMap, etc. They all have perfectly fine std versions that work just as good. Additionally do std's type often support std::pmr for using polymorphic allocators. This can turn out to be very beneficial (ie. if you want to make sure you have no memory fragmentation).
Good luck. And Qt certainly isn't a bad choice.
(Score: 2) by gnuman on Friday March 22, @06:59PM
Yeah ... that's not about security anything. That's about memory leaks. And memory leaks galore are a problem in all GC languages too.
When you talk about security, you talk about things that end up with memory overruns, underruns, and use-after-free. Things like trusting user input are a big no-no. The central problem was always string management in simply char* with \0 EOL delimiter. In Qt, you'll find QString (UTF-16 container) as ways of handling this problem. Smart pointers do *nothing* to help you with this.
Others are talking about QObject owned hierchary which mostly is related to UI owning it's support things. Support (controllers, views, etc) get destroyed when the UI is closed. It's convenient at preventing memory leaks. You still need to take care of non-QObject owned stuff, like QFile, QString, etc. QObject is **heavy** hence it's only used for heavy things, like UI.
Anyway, C and C++ are about manual memory management, which brings in reliable footprint and performance. But you have to take care.
(Score: 2, Insightful) by Anonymous Coward on Thursday March 21, @11:40AM (3 children)
I do find it weird that many languages still have the convention of passing data/parameters via the "return address" stack[1].
If they used a separate stack for passing data certain exploits become harder - yes you can still have unwanted behavior BUT it is harder for the "runs arbitrary code" part.
It just seems to be bad hygiene to mix data and code like that.
[1] https://en.wikipedia.org/wiki/X86_calling_conventions#x86-64_calling_conventions [wikipedia.org]
(Score: 3, Touché) by VLM on Thursday March 21, @01:40PM (2 children)
"In the old days, when address busses were small and ram was expensive"
It would be a hard sell to have multiple stacks to manage free space on a non-MMU 16-bit memory bus from 1980 and that language design attitude lives on.
It's interesting to ask "What if there was an architecture for enterprise computing only that would never run on a toaster or microwave oven?" but then I remembered the IBM360 macro assembler.
(Score: 1) by anubi on Friday March 22, @08:27AM
Isn't even the Arduino a Harvard architecture?
The program goes in EEPROM...the data goes somewhere else. RAM and in some cases, Flash... Or at least that's how I've been building 'em. I lock the code itself up, mostly just to avoid corruption that would render the whole thing useless, but things like HMI image files and tables are in flash, data buffers are in RAM.
I particularly like the simplicity, ease of interfacing to real world actuators and sensors, and low power draw. And quite inexpensive.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Friday March 22, @10:30AM
(Score: 2) by Rich on Thursday March 21, @12:28PM
I read Sutter's article a few days ago, and it came across as mostly apologetic and explaining that there isn't a problem with C++. He makes up a few important sounding terms, quotes statistics of exploit causes as a measure of the safety of a language, whereas they really should come up with a language definition that has no undefined behaviour. We can assume that with all the crap piled on C++, this is impossible and have to read the article as euphemistic admission that it is indeed so. (Sutter should know, he's the designer of Cppfront after all).
He also does a bit of Rust-bashing, pointing out the tree-like memory model (which, btw, is what Qt also offers if used like intended), and in the end, the suggestion is to pile another "profile" layer of crap on the existing ones. Certainly not an elegant solution, but one that allows the book-writing and seminar-touring clique to cash in for another three years.
(Score: 4, Insightful) by VLM on Thursday March 21, @01:44PM (5 children)
Bad programmers who write bad programs in C using bad pointer strategies will not move to Rust and make no pointer mistakes magically making them good programmers, they'll just continue being bad programmers doing non-constant time crypto comparisons or using rot13 as their enterprise grade cipher of choice or all kinds of other bad ideas.
Its like you got two hardware stores and the people who hit their thumb with the hammer think if one of the stores stops selling hammers then they'll become gods of DIY skills. Not so; they'll just mildly inconvenience the folks who DO know how to use hammers and still find a way to cut their hands off with the table saws and zillions of other fun toys at the "safe hammer-free hardware store"
(Score: 3, Informative) by digitalaudiorock on Thursday March 21, @02:26PM (2 children)
I've had a VERY bad feeling about everyone's push to move to Rust. For starters, what exactly makes everyone trust Mozilla to do anything right??...the wonderful job they've done with FireFox and Thunderbird?? Please...
One trend that seriously sounds bad is that, apparently, with Rust there seems to be a big trend to link most everything statically instead of dynamically. There was a discussion on the Gentoo forums on that a while back and there are a ton of reasons that that's a really bad trend.
(Score: 5, Funny) by VLM on Thursday March 21, @02:54PM (1 child)
In the old days when there was yet another buffer overflow in strcpy the theory was instead of patching a zillion binaries just patch the dynamic library and call it good.
However, this doesn't really work, does it, if everything in 2024 is run in Docker with a verifiable build process so all containers are bit for bit exactly similar. May as well statically link everything in 2024.
The concept of dynamically linked library as an API between software packages also doesn't seem so popular, do it all over TCPIP in a cluster with a REST API now.
They do kind of have a point...
(Score: 2) by hendrikboom on Friday March 22, @02:28PM
Sounds unnecessarily heavy for most code.
(Score: 3, Insightful) by Beryllium Sphere (r) on Friday March 22, @07:11AM (1 child)
>will not move to Rust and make no pointer mistakes
Oh, they can certainly write code that leaks or double-frees or uses after freeing in Rust.
The difference is that it won't compile.
(Score: 2) by gnuman on Friday March 22, @07:10PM
that's patently false. Rust code can leak like a hose if you don't care..
https://doc.rust-lang.org/book/ch15-06-reference-cycles.html [rust-lang.org]
and you can write segfaults, etc. in rust if you really want to :-)
https://github.com/Speykious/cve-rs [github.com]
(Score: 2) by hendrikboom on Friday March 22, @02:50PM (1 child)
I learned C++ rather intimately and implemented most of a C++ compiler in the early 1990's. Since then I have had only minimal contact with the language.
A lot has happened to the language since.
Can someone recommend a reasonably efficient guide to what's happened to the language since, especially modern recommended practices?
(Score: 2) by gnuman on Friday March 22, @07:21PM
The BIG difference in C++ is that in early 1990s, C++ compilers were crappy so the recommendation was not to use templates (you know, the #define for a type :-). All changes since there has been improvements in compilers and the template engine so now things like standard containers (like std::vector) have partial specializations, templates are everywhere and error messages are longer than ever.
That may be a little cheeky, but it's essentially true.
https://en.cppreference.com/w/cpp [cppreference.com]
look around here... there is a lot of stuff that no one used or mostly didn't exist in 1990s.