Typical security issues in C++: why the GC isn't your enemy
Nick Treleaven
nick at geany.org
Mon Dec 12 12:53:42 UTC 2022
On Monday, 12 December 2022 at 11:07:00 UTC, Siarhei Siamashka
wrote:
> You have my 100% support here. But the tricky thing is that the
> majority of the current D language community seems to disagree
> with us, as evidenced by the apparent rejection of DIP 1028.
That was unpopular because extern(C) functions silently defaulted
to @trusted, a major security hole. However I am concerned about
breakage if the default changes, and the lack of a @trusted
block. The latter means you can't encapsulate @trusted code
easily if it contains a return statement because you have to wrap
it in a lambda (which repurposes that return). It could be
abused, but we need to give programmers practical tools and not
make things unnecessarily difficult and noisy. Rust has `unsafe`
blocks.
> What kind of dangers are threatening the users of @system code?
> This needs to be explained better. Especially considering that
> every beginner pretty much starts using @system code by default
> even before knowing that there's a choice.
What about deprecating defining `main` without a
@system/@trusted/@safe attribute? Then users have to make a
choice. If they choose @safe then anything main calls has to have
a safe interface.
> Another interesting observation is that despite my
> recommendation to add "@safe:" at the top of the source file,
> this person still plastered the @safe attribute all over the
> place in the next code snippet. Also not recognizing this
> syntax doesn't seem uncommon:
> https://forum.dlang.org/post/ddhxlvprhdpqrhkbxuyb@forum.dlang.org
I almost never use `@safe:` because it prevents @safe attribute
inference.
> And at the same time the same community wants to promote D as a
> safe language. People do get upset when, let's say, NSA is not
> listing D as an example of a safe language.
Even if D was safe by default, would the NSA really list it? They
seem to only list some examples of better-known languages:
"Examples of memory safe language include C#, Go, Java®, Ruby™,
Rust®, and Swift®."
https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF
Of course, if D can encourage/default to using @safe that may
make the language more popular by helping market it.
> === how to fix all of this ===
>
> My suggestion is still the same: the compiler should start
> making noise whenever a function gets the @system attribute
> assigned to it by default. Similar to deprecation warnings.
> This message does not have to abort compilation and the
> existing DUB packages should still build successfully (despite
> the '-w' option). The text of the message may look like this:
>
> "The function 'foobar' got @system attribute by default. If
> this is really what you want, then please add '@system:' at the
> top of the source file or read this <URL> for detailed
> explanations."
>
> I think that this will provide a gentle push/reminder for the
> maintainers of the existing packages. Also beginners will learn
> about the @safe attribute much faster.
Sounds more appropriate for a linter.
More information about the Digitalmars-d
mailing list