TechCrunch Urges Developers: Replace C Code With Rust (techcrunch.com) 114
Software engineer and TechCrunch columnist Jon Evans writes that the C programming language "gives its users far too much artillery with which to shoot their feet off" and is "no longer suitable for the world which C has built." An anonymous reader shared Evans' post: Copious experience has taught us all, the hard way, that it is very difficult, verging on "basically impossible," to write extensive amounts of C code that is not riddled with security holes. As I wrote two years ago, in my first Death To C piece... "Buffer overflows and dangling pointers lead to catastrophic security holes, again and again and again, just like yesteryear, just like all the years of yore. We cannot afford its gargantuan, gaping security blind spots any more. It's long past time to retire and replace it with another language.
"The trouble is, most modern languages don't even try to replace C... They're not good at the thing C does best: getting down to the bare metal and working at mach speed." Today I am seriously suggesting that when engineers refactor existing C code, especially parsers and other input handlers, they replace it -- slowly, bit by bit -- with Rust... we are only going to dig ourselves out of our giant collective security hole iteratively, one shovelful of better code and better tooling at a time."
He also suggests other fixes -- like using a language-theoretic approach which conceptualizes valid inputs as their own formal language, and formal verification of the correctness of algorithms. But he still insists that "C has become a monster" -- and that we must start replacing it with Rust.
Yes, go ahead! (Score:5, Insightful)
Yes, replace billions of working C code with billions of lines of code in a new language. What could possibly go wrong?
Re: (Score:2)
Well if this guy says so, what doubts could you possibly have left?
Re: (Score:1)
He's not suggesting that at all.
"..I am seriously suggesting that when engineers refactor existing C code, especially parsers and other input handlers, they replace it — slowly, bit by bit — with Rust."
He's suggesting that when you refactor a critical piece of C code - in other words you're already going to change it and potentially add brand new C/C++ security issues - you instead use a language with some form of god damn formal verification and some fucking way of validating that you're not op
Re: (Score:2)
Yes. Formal verification of most production programs will not happen in my lifetime or yours, or possibly ever, because it's expensive and nobody's paying for it.
The simple fact is that there's a hue and cry about security but nobody really cares about it, because nobody's willing and able to pay what it would take to fix it.
Re: (Score:2)
What needs to happen is the cost of security breaches must greatly exceed the cost to fix it. The only way I can see that happening is huge fines and/or civil accountability. In other words government fixing the market place.
Re: (Score:1)
Rust has both a safe variation for doing good things and an unsafe veriation for doing low-level actions. This is the same problem with a new paint job.
Re: (Score:1)
No you just have a low IQ. There's a difference between everything being unsafe and only being unsafe in the critical areas where you need to be.
Re: (Score:3)
I would expect Slashdot users to post numerous variations on, "Is she hot?"
Re: (Score:2)
Yes, replace billions of working C code with billions of lines of code in a new language. What could possibly go wrong?
Not only that, but which standard requires that a system have a rust compiler on it? POSIX and SUS (are they the same now?) require a C compiler. In practice I know that many systems have other environments available, but standards matter in some cases and there will be instances where C is an appropriate choice, if not the best or only choice.
I could understand advocating "choose rust instead of C for new projects" or "if you are considering rewriting major portions of a C project then con
The Rust community worries me. (Score:2, Insightful)
The Rust community really worries me. It's far too tyrannical for my tastes. For example, they apparently aren't capable of acting like civilized adults on their own. They need a Code of Conduct to tell them how to behave, and a Moderation Team to act as what is effectively a judge/jury/executioner role.
What's worse is when they use these tyrannical apparatuses to attack others. For all of their bragging about how they value "tolerance" and "inclusivity", they so often exhibit the opposite behaviors. Just l
Re:The Rust community worries me. (Score:4, Insightful)
When I first heard about Rust and went to check it out, the so-called "community" put me off it completely.
Re: (Score:3)
I think we should replace c with COBOL, no pointers, no dynamic memory allocation, rounding errors with floats rare and all strings fixed length.
That is just as good an option as any for these crazy "my language is better than your's" posts
Ada (Score:2, Interesting)
Why now? Why rust? What about Ada? They're not so different that somehow the argument becomes that much better than it was for Ada. I just don't get all this rust hype. But, then again, I'm a C programmer, and I am 100% certainly I won't see C replaced in the systems I work on (cars), so it's a moot point. I would, however, support a move to Ada. My industry would never consider Rust. Pushing it over Ada is actually counterproduction, because it primes the C-suite to see languages pushed as a replacement fo
Re: (Score:3)
In part it's a cultural thing. Ada is considered "complex and verbose" (but compare with Java). Ada is, of course, from the DoD, so it's "obviously bad." Most importantly, Ada requires a bit more thought before you jump into the code.
The interesting thing about Ada is that a skilled practitioner learns how to use the language to his advantage. You code so the compiler checks as much as it can, so you can concentrate on things the compiler can't check. When the compiler and you agree the code is correct
Re: (Score:2, Interesting)
Two other issues:
1) having lost the race, there is no longer a viable ecosystem of Ada compilers, tools, etc outside of a few specialized (and very expensive) aerospace and DoD environments. That creates a large chicken-and-egg barrier to its use
2) Back in the day Dijkstra strapped on the 10 most powerful swords and warhammers in human mythology and went after Ada full force. At the time his criticisms seemed on point, but with knowledge of what came after (e.g. Java) his obj
Re: (Score:3)
#1 is not true. See https://sourceforge.net/projec... [sourceforge.net] There's been a GPL Ada compiler for at least 30 years. The Ada Core product is open source, you pay for maintenance.
For #2, the debate in many respects boils down to "simple programs in complex language" or "complex programs in a simple language." But see http://www.adacore.com/sparkpr... [adacore.com] (and there are free versions of that, too), for a subset of Ada specifically designed to support proof-of-correctness.
Re: (Score:2)
...there is no longer a viable ecosystem of Ada compilers, tools, etc outside of a few specialized (and very expensive) aerospace and DoD environments.
Say what? I've got gcc-ada installed on the system I'm using to post this.
Re: (Score:2)
That's one. How many industrial-quality C compilers are on the market and what is their price range?
Re: (Score:2)
How does Ada prevent memory leaks?
(Maybe I should also ask how Ada prevents rockets from exploding [wikipedia.org], but Rust won't do that either)
Re: (Score:2)
1. No address arithmetic. Arrays are programmed with bounds-checking, usually through dope vectors generated by the compiler. It is a requirement of the language to generate an exception if you try to go beyond the bounds of the array.
2. Ada handles pointers through access types (which, by the way, are always checked before dereferencing to be sure the pointer is not null). There are coding styles and means to do memory management, e.g. setting up a memory pool for a specific access type. Ada95 and be
Re: (Score:3)
Arrays are programmed with bounds-checking, usually through dope vectors generated by the compiler. It is a requirement of the language to generate an exception if you try to go beyond the bounds of the array.
Doesn't a bounds-check on every array access slow things down?
Re: (Score:2)
1. It's maybe 1 instruction on most architectures.
... some_array(index) ....
2. If you want security, you have to pay for it.
3. In many cases, the compiler can prove the bounds check is not needed!
Consider
for index in some_array'range loop
end loop;
Unless you modify index (as an "l-value"), the compiler knows the values for index are exactly the bounds of the array (because 'range returns the range of values for the object some_index), so no bounds check is req
Re: (Score:2)
Buffer overflows are a uniquely C (and assembler) thing. Most programming languages do actually do bounds checking, and will generate a run time error if you attempt to write more data to an array/block/other fixed size container than will fit. Ada is a normal programming language in this respect.
Addressing memory leaks is a more complex subject, but you can reduce memory leaks if your programming language is built properly. You can't eliminate them, because it's always possible for a programmer to keep
Re: (Score:2)
Most programming languages do actually do bounds checking, and will generate a run time error if you attempt to write more data to an array/block/other fixed size container than will fit.
Most programming languages are slower as a result of this bounds checking at runtime.
Re: (Score:2)
What about Ada?
I came to this story to post this very question.
Re: (Score:3)
This guys beginning premise is wrong. People dont use C because its "getting down to the bare metal and working at mach speed." C is not a "bare metal language" so that cannot be the reason. The reasons that people use C mainly stem from it being based on a simple yet expressive-enough abstract machine.
C isnt the ideal language for its purpose. The issue is really that none of the other languages are suitable upgrades.
Re: (Score:2)
I won't see C replaced in the systems I work on (cars),
C isn't being replaced but it also isn't being written.
Simulink Embedded Coder / "Model Based Design" is taking over most industries.
It's trivial to switch between C/C++. Adding Rust, ADA, etc shouldn't be too much of a leap.
Rule of Generation
Re: (Score:2)
The first big problem with Ada is that its developers looked at the Pascal syntax and decided it would be a good challenge to make it even worse. In Ada variable, a pointer dereference (of any level) and a nullary function call look exactly the same. The second problem is that key language features have never been standardised. Some compilers support garbage collection, while in others you have to manage memory allocation by hand, which can easily leave you wondering why your code have suddenly started leak
That's a bit rusty... (Score:2)
Or Ada. Or Erlang... (Score:2)
Or Erlang. Or Ada. Or PL/I. Or... or any of the 23 languages/environments that have been proposed since the Ada/Pascal/C split circa 1975. Yet none of these proposals have taken root. Why not? Seems to me that is just as important a research question as developing Yet Another Correct Compiler for the Unbreakable
Re: (Score:2)
Erlang was originally developed to facilitate the creation of provably correct real-time communications systems. The argument (all the way in the dim depths of 2014 here on Slashdot IIRC) is that in today's world all software will eventually be connected to the Internet and both its interactions and its databases may be located at multiple remote unreliable locations/links, and hence all systems can be (and then proceed to should be) modeled as real-time communications systems requiring provably correct s
An embarrassing admission (Score:3)
Basically, this is an admission that the average programmer is fairly shitty. Then again, you don't want average programmers working on anything important, so by sticking with c, you're not going to get the "rust, rust, baby" programmers.
Re: (Score:1)
While in grad school I had a roommate take an introductory to programming course. I saw grave errors in the example code the lecturer was giving the students. It starts with the education. If they are not taught properly from the beginning don't expect anything but crap later.
In the basic read stuff from a file example given to the students -
char c;
while ( (c=getc)!=-1) {
}
Re: (Score:2)
Any smart teacher will slip in a mistake once in a while to see if anyone is paying attention. Then again, I'm not saying all, or even a majority, are smart.
Re: (Score:1)
Yeah.. expert C programmers never write insecure code.
Except for when they do, which is pretty much constantly because true expert C programmers know it's impossible to write any large piece of C/C++ software using it's native features without making at least a few mistakes.
If you're a C programmer, and you don't already know this, then you aren't an expert.
Re: (Score:2)
Wrong. I wrote a multithreaded server that had zero memory leaks, never had to restart a thread to reclaim memory, and could run for years with no faults and no slowly chewing up extra ram. It took 2 years to get it perfect. Most places wouldn't give you 2 years to do that. They want "good enough".
Of course, a year after I left, someone modified the code and it started eating up ram. When they called me, I told them to put the code back the way it was, because even the source said "this may look wrong - bu
as if more proof is needed (Score:1)
Rust has one of the most aggressive fanboy cultures since the Ruby hey days. Those kool-aide drinkers infest every corner of every programming language forum (notably Reddit's C++ forum) repeating their mantras and echo chamber memes.
But yes, sure, let's start refactoring a kajillion lines of C that are out there working perfectly well. Let's replace working C with an immature, untried, untested language that is still largely under active development. As another poster said, what can possibly go wrong?
The w
Bullshit slashvertisement (Score:5, Interesting)
Hire competent C developers and you should be good to go. Hire dumb-asses and sure the future doesn't look bright.
The usual PR stunt of "use my new language that is so good and so simple even a stupid high school teen with an IQ somewhere between stone and plankton in the phylogenetic tree could use it without wrecking anything" is not going to convince anybody here. It's boring at best, and no-one cares about your "advice".
The linux kernel is in its 3rd decade, as most gnu/bsd tools and all of that is written in plain C. They are good and safe. Oh, maybe it's because they are written by competent guys.
Re: (Score:3)
Re: (Score:1)
Also C++, if used correctly, makes many typical C bugs very hard to implement by accident, while still having the option of using some things that only C can do well if really needed.
Re: (Score:2)
The linux kernel is in its 3rd decade, as most gnu/bsd tools and all of that is written in plain C. They are good and safe.
Really? Are you sure [cvedetails.com]?
Re: (Score:3)
Re: (Score:1)
This is a common argument. What you're really saying is that a small number of elite developers feeling good about themselves is better than good tools that prevent mistakes.
And the response is "No, it's not." We need more people to be able to produce more with fewer mistakes. The number of developers who write production code will always be more than the number of developers who write mistake-free code. The way to get more mistake-free code is to eliminate opportunities to make mistakes.
Shorter version:
Re: (Score:2)
I've met a lot of very competent cabinetmakers over the years, but of those who use circular saws 80% are missing at least the tip of one finger. The SawStop technology seems like a good idea to me, although many deride it as "sissy stuff".
In any case, the history of the last 30 years shows that you really can't depend only on having hired the "competent" programmers - there aren'
well, he's not wrong (Score:2, Insightful)
C was one of the most influential languages the world has ever seen, but all things reach a point where time moves and and they are not good ideas for new projects any more. I don't think we should necessarily go replace every line of C code out there - couldn't if we wnanted to - but for new projects we should use better tools now.
Tools do matter. It's just way way way too easy to write buffer overflows in C, even for highly experienced programmers. History shows that clearly. We need better tools that
Fix the code dont try a new language (Score:3)
Re: (Score:1)
"Rust" isn't a name that inspires confidence. Nor is "Corrosion," "Decay," or "Flatulence."
Hey - I resent your use of that last word!
Moving the goal posts doesn't eliminate them (Score:2)
One is data structures: in C there are no data structures. Any memory can be
Formal verification my foot (Score:2)
Recent experience with C (Score:2)
C can certainly be extremely problematic in bad hands (increasingly careless attitudes in the programming world, anyone?). Also I don't see the point of using it other than under very specific conditions. But completely replacing it? I don
Re: (Score:2)
FUN FACT: in Spanish, double negation is correct. For example, a word-by-word translation of my version to Spanish would be fine: "NO creo que sea posible NI lógico".
Re: (Score:2)
Not anytime soon. As in certainly not in the next 50 years. The little problem is that current AI is exclusively "weak AI". and that is the AI without intelligence. All it can do is statistical classification and that is not enough. So for the foreseeable future, the only thing that can make code secure is competent coders. "Pay peanuts, get monkeys" is the main problem that causes insecure code.
Re: (Score:2)
Ah, yes. Python, the language that pretty much requires its users to know what they are doing. Just like C, come tho think of it. All the hate against these languages comes from one corner only: Those that cannot hack it.
Misplaced blame (Score:2)
Security is the job of the Operating System, not applications, or users. When you run the program, and tell the OS which files it should use, that should be it. The program shouldn't have the authority to access anything not specified. This has worked in the mainframe world for decades, as you specified which virtual disks a system had access to when loading the run-time system. This works in virtualization, when you specify the disks the virtual machine is to use.
It's going to be a few more years for th
Re: (Score:2)
Yes, this. Now let's all trust MS Winders.
Re: (Score:2)
And then there are the cases where programs can access things and the security requirement is that they must not misuse them. Which is pretty much the most important case these days and most of it cannot be solved by MAC. You miss about 90% of the problem with your statement.
Choice the Language (Score:2)
Your choice of language should be context dependent.
C is used in some situations that spring readily to mind where Rust would not be appropriate:
1) Codebases that are elderly, dating back to the 1990's or earlier. Back then we used C for most things. Compiled languages were required for most types of programming, because interpreted languages were too slow for most things. [I know that Rust is compiled, but it also didn't exist until 2010. To me, something was either written in C, rarely in C++, or scripted
So replace old and proven with new and unproven? (Score:2)
That will go well. Especially as Rust is nowhere near the "silver bullet" it is claimed to be. No. Just no.
The actual fix is to hire competent coders. Incompetent ones will make their code just as insecure in Rust as they do in C. Sure, the insecurities will be different ones, but that is it. Software quality never has been a question of the language used. The only influence the language used has is how long coding takes. Software quality (and in particular security) is solely a question of the skills of th
Many who code in C should not (Score:2)
To be able to code effectively in C you need to have been doing so for at least 3 years and, preferably, spent 6 months or more writing in assembler. I am not saying that without this people cannot write good C, but I believe that this is what is needed to provide you with the level of insight that is necessary to be a competent C programmer. To be a great one, add a few years experience.
C is not a language for every one, it is not a language for all problems. But for some it is a good language. The trouble
Re: (Score:2)
Perl has GOTO and LABELS. I used PERL mostly for ETL and having the capability to break out nested for loops using LABELS made the code cleaner not having to use a bunch of condition variables. Now that I'm in Python I have to filter things which means iterating over things once for the filter in the for list and then again for the processing. Things can be corrected by using 'yield' to iterate once with generators but, and here's the but, the Perl LABEL code is intuitive, whereas the 'yield' code trips peo
C is not the problem. (Score:2)
I'm sorry but I don't see the security problem, at all. All I see is a bunch of hyperbole.
First thing one learns in security is that as long as humans are involved then you have a problem. RUST only addresses one aspect of human involvement, operator error. RUST does not address backdoors of design. The recent IOT attack the created the largest DDOS attack was such a back door.
If the past is any indication of the future then RUST will find its niche and that's it. Safe malloc libraries have been around a lo
What about Go? (Score:2)
For the sake of discussion. I haven't used but worked with people who did. They said it was much better than C or C++. Can anyone weigh in on the pros and cons of Go?
It's too late (Score:2)
I believe that we are about a decade away from a disruptive change that will obsolete all of this. The refactoring would probably take longer.
At some point, we are going to change to a system in which neural networks are the system and a swarm of traditional processors running very small, tight, calculator-like algorithms are tied within the neural network. This merging of calculators, memories and artificial minds will occur long before any intensive augmentation of biological minds - likely in the next co
Re: (Score:2, Funny)
Well ain't that a self-confirming statement...
Re: (Score:2)
Sorry I am not discussing the anonymous coward behind it, but the statement itself...
"They just show up to post random nonsense and exhibit absurd biases" - that's exactly how I perceive the GP.
Re: (Score:1)
