No matter how many tools and training resources software companies put in.Ryan LevickC + + is not a safe language in essenceMicrosoftCloud development advocate, in last month’sAllthingsopen virtual conference, which explains why Microsoft is moving from C / C + + to rust to build its infrastructure software. And encourage other software giants to consider the same issues.
“The language we use is very old and from different times, so it doesn’t provide us with the ability to protect ourselves from such vulnerabilities,” he said. C + + is not a memory safe language. ” (Portal)
In fact, Microsoft thinks that C + + is no longer accepted in writing mission critical software. The industry needs to use high-performance, memory safe language in its low-level system work. ‘the best option in today’s market isRust。
C / C + + cannot be fixed
Today, C and C + + are common languages for writing core system software. It’s fast, only between the code and the machine itself, only assembly language.
However, all the memory related bugs caused by these languages (many of them are security risks) paralyzed the whole industry. Today, 70% of CVEs from Microsoft are memory security issues, says levitk. “Despite the tremendous efforts we have made to solve this problem, it still seems to be a common occurrence,” he said
From a financial point of view, this makes sense given the high cost of remedying this endless memory related error. As early as 2004, each memory related error cost the industry about $250000, Levick said, while Microsoft’s estimate was conservative.
Of course, many efforts have been made to improve the security of C + +. Although each effort is effective, it can not completely solve the problem.
For a long time, there has been a way to train programmers on secure code. However, “there is no evidence that the overall training of C / C + + developers can solve this problem,” Levick said, citing Microsoft’s own large number of internal training for developers.
Static code analysis is introduced as another possible solution. But static analysis can be costly: it needs to be connected to the build system. “So there are many reasons not to use static code analysis,” Levick said. If static code analysis is not turned on by default, it will not help. “
The same goes for runtime checking: “it’s impossible, or at least difficult, to know when the runtime checking specification is used and when it’s not.” They also have running costs, he added.
Best opportunities in the industry
To resolve memory related errors,Microsoft Security Response CenterLaunchedSecurity system programming languagePlan. There is some work dedicated to supporting C / C + +. We also createdVerona, which is a new programming language for secure low-level programming. However, what they trust most is the third branch of the project strategy, which is to support “the best opportunity for the industry to solve this problem”.
“And we believe it will be rust,” he said.
In terms of performance, rust is comparable to C / C + + and may even be faster. Rust brings productivity to developers through package management and modern testing framework.love Rust。
But the main reason Microsoft is so obsessed with rust is that it is a memory safe language with minimal runtime checking. Rust is good at creating the right program.CorrectnessGenerally speaking, the compiler will check the program for unsafe operations, thus reducing runtime errors. Unsafe keyword is an option, but not the default. Insecure rust code is always a subset of a larger range of secure code. For memory allocation jobs (for example, writing device drivers), unsafe mode must be used. But even here, the insecure part of memory is encapsulated behind the API.
Levick said this ability to program safely should not be underestimated. In fact, it can provide more than 10 times the increase and is worth investing in. This is mainly because almost all C / C + + codes need to be checked for security and unsafe behaviors, and unsafe codes written with rust also need to be checked, but this is only a small part of most code bases.
Although Microsoft is optimistic about rust, levitk admits that Microsoft’s core developers will not stop using C / C + + soon.
“Microsoft has a lot of C + + code and it’s everywhere,” he said. In fact, Microsoft C + + will continue to write, and will continue to write for some time. “
Many tools are built on C / C +. In particular, Microsoft binaries are now almost entirely built on the Microsoft Visual C + + compiler that generates MSVC binaries, while rust relies onLLVM
But perhaps the biggest challenge is culture. “Some people just want to do their work in the language they already know,” levitk admits
However, the industry seems to be moving towards rust. Amazon Web services uses it, part of it for deploymentLambda serverless runtime, andEC2Some parts of it. FacebookStart usingRust。 So are apple flare and apple cloudbox.
The date of all things open in 2020 has been announced:Oct. 20-22.