Feds: Critical Software Must Drop C/C++ by 2026 or Face Risk (thenewstack.io)
from arendjr@programming.dev to programming@programming.dev on 01 Nov 08:39
https://programming.dev/post/21219428

#programming

threaded - newest

jia_tan@lemmy.blahaj.zone on 01 Nov 08:51 next collapse

🦀🦀🦀

perviouslyiner@lemmy.world on 01 Nov 08:55 next collapse

Seems excessive to convert everything to rust when you can use std::shared_ptr and std::weak_ptr to eliminate the memory safety issue?

cmnybo@discuss.tchncs.de on 01 Nov 09:02 next collapse

I wonder how many issues rewriting everything in another language will create?

tyler@programming.dev on 02 Nov 01:09 collapse

Just as many issues as not reading the article.

psycotica0@lemmy.ca on 01 Nov 11:45 next collapse

I get what you’re saying, but I think the issue with optional memory safety features is that it’s hard to be sure you’re using it in all the places and hard to maintain that when someone can add a new allocation in the future, etc. It’s certainly doable, and maybe some static analysis tools out there can prove it’s all okay.

Whereas with Rust, it’s built from the ground up to prove exactly that, plus other things like no memory being shared between threads by accident etc. Rust makes it difficult and obvious to do the wrong thing, rather than that being the default.

arendjr@programming.dev on 01 Nov 11:56 next collapse

Using smart pointers doesn’t eliminate the memory safety issue, it merely addresses one aspect of it. Even with smart pointers, nothing is preventing you from passing references and using them after they’re freed.

refalo@programming.dev on 01 Nov 15:43 collapse

To be fair, it’s entirely possible to make the same and very similar mistakes in Rust, too.

GetOffMyLan@programming.dev on 01 Nov 18:55 next collapse

I’m fairly sure use after free isn’t possible unless you explicitly use unsafe code right?

It’s compiler enforced is the point.

robinm@programming.dev on 05 Nov 08:30 collapse

Is it possible to do in Rust?

Yes

Is possible to do in Rust, by mistake, and not easily caught by a review?

Definitively not.

refalo@programming.dev on 05 Nov 20:03 collapse

I think you could argue the same point with C++

robinm@programming.dev on 09 Nov 12:44 collapse

void foo() {
    std::vector v = {0, 1, 2, 4};
    const auto& ref = v[1];
    add_missing_values(v);
    std::cout << ref << "\n";
}

void add_missing_values(std::vector<int>& v) {
    // ...
    v.push_back(3);
}

Neither foo(), nor add_missing_values() looks suspicious. Nonetheless, if v.push_back(3) requires v to grow, then ref becomes an invalid reference and std::cout << ref becomes UB (use after free). In Rust this would not compiles.

It is order of magnitudes easier to have lifetime errors in C++ than in Rust (use after free, double free, data races, use before initialisation, …)

refalo@programming.dev on 09 Nov 14:56 collapse

This would be caught by ASan and other tools though, which should be part of any review.

robinm@programming.dev on 09 Nov 19:51 next collapse

That’s why I did not said it was impossible, just order of magnitude harder to catch in C++ compared to Rust.

To have asan finding the bug, you need to have a valid unit test, that has a similar enough workload. Otherwise you may not see the bug with asan if the vector doesn’t grow (and thus ref would still be valid, not triggering UB), leading to a production-only bug.

Asan is a wonderfull tool, but you can’t deny it’s much harder to use and much less reliable than just running your compiler.

robinm@programming.dev on 12 Nov 09:23 collapse

I think you have a hard time understanding the différence between “not possible” and “much harder”.

In Rust, the code does not compile.

In C++ the code compile, but

  • if you have a test case
  • this test case triggers the bug (it is not guarateed to properly reproduce you production environment since it depends on the parameters of the allocator of your vector)
  • you use ubsan

… then the bug will be caught.

Yes it is possible, noone says the opposite. But you can’t deny it’s harder. And because its harder, more bugs get past review, most notably security bugs as demonstrated again and again in many studies. The

magic_lobster_party@fedia.io on 01 Nov 12:10 next collapse

From the original document:

Software manufacturers should build products in a manner that systematically prevents the introduction of memory safety vulnerabilities, such as by using a memory safe language or hardware capabilities that prevent memory safety vulnerabilities. Additionally, software manufacturers should publish a memory safety roadmap by January 1, 2026.

My interpretation is that smart pointers are allowed, as long it’s systematically enforced. Switching to a memory safe language is just one example.

FizzyOrange@programming.dev on 03 Nov 13:47 collapse

I have never seen a single C++ codebase do that. It helps but it’s not a practical full solution.

Sonotsugipaa@lemmy.dbzer0.com on 01 Nov 09:02 next collapse

That is an extremely oddly specific cysec issue they’re choosing to target…

BlazeDaley@lemmy.world on 01 Nov 12:20 collapse

It’s one backed by a lot of data. One example is from the Android project.

The percent of vulnerabilities caused by memory safety issues continues to correlate closely with the development language that’s used for new code. Memory safety issues, which accounted for 76% of Android vulnerabilities in 2019, and are currently 24% in 2024, well below the 70% industry norm, and continuing to drop.

…googleblog.com/…/eliminating-memory-safety-vulne…

There’s an argument that critical infrastructure software vendors are already meeting standards for basic, non-memory related items. Yes, there are other categories, but memory safety is one that’s harder to verify. Moving to memory safe languages is an ensure a category of correctness. This excludes usage of unsafe escape hatches.

MyNameIsRichard@lemmy.ml on 01 Nov 09:08 next collapse

Feds have found a way to hack rust /s?

sp3tr4l@lemmy.zip on 01 Nov 09:50 collapse

DARPA has unironically been funding a tool that purports to translate C / C++ into Rust…

www.darpa.mil/program/translating-all-c-to-rust

lud@lemm.ee on 02 Nov 00:36 collapse

That’s nice.

wewbull@feddit.uk on 01 Nov 09:11 next collapse

That sounds like policy written by somebody who has no idea what the reality of software development is.

1 year to rewrite critical software in a new language?

nous@programming.dev on 01 Nov 10:57 next collapse

Did you read the article at all?

“Putting all new code aside, fortunately, neither this document nor the U.S. government is calling for an immediate migration from C/C++ to Rust — as but one example,” he said. “CISA’s Secure by Design document recognizes that software maintainers simply cannot migrate their code bases en masse like that.”

Companies have until January 1, 2026, to create memory safety roadmaps.

All they are asking for by that date is a roadmap for dealing with memory safety issues, not rewrite everything.

IsThisAnAI@lemmy.world on 01 Nov 11:25 next collapse

Solid detective work Lou.

GetOffMyLan@programming.dev on 01 Nov 18:53 collapse

That sounds like a comment written by somebody who has no idea what the article says

sp3tr4l@lemmy.zip on 01 Nov 09:48 next collapse

… Are the Feds aware that the core systems that many, many older companies (and government agencies) use are still based on COBOL?

Is… is that not of any concern?

aubeynarf@lemmynsfw.com on 01 Nov 11:00 next collapse

Is COBOL subject to buffer overflows and use-after-free bugs? I honestly don’t know.

I don’t recall the COBOL code I’ve read using pointers.

sp3tr4l@lemmy.zip on 01 Nov 14:51 collapse

The problem I am aware of is moreso that the number of programmers that know COBOL is vanishingly small, it … COBOL does not seem to really be taught anymore…

…so if something goes wrong at that level, you may be SOL if you cannot find an increasingly rare programmer that knows COBOL well.

[deleted] on 01 Nov 12:14 next collapse

.

tyler@programming.dev on 02 Nov 01:01 collapse

The article says this isn’t to affect existing code.

mox@lemmy.sdf.org on 01 Nov 20:41 next collapse

Don’t assume too much from the headline, folks. They’re not saying everything has to be rewritten by 2026. They’re saying new product lines serving critical infrastructure should be written in memory-safe languages, and existing ones should have a memory safety roadmap.

If you’re about to post about how you think that’s unreasonable, I think you should explain why.

Primer81@lemmy.zip on 01 Nov 20:51 next collapse

Just from reading the article, is the scope just critical software infrastructure? What does that encompass exactly? Banking and military software seems easy to assume - what about embedded medical device software? Or just embedded software in general?

NauticalNoodle@lemmy.ml on 01 Nov 21:07 collapse

is Rust ready for this?