Typical security issues in C++: why the GC isn't your enemy

Sun Jan 22 21:02:06 UTC 2023

On Sunday, 22 January 2023 at 10:08:55 UTC, Timon Gehr wrote:
> On 12/15/22 09:01, Dom DiSc wrote:
>> Best practice should be to use @trusted around as few lines of 
>> code as possible (and of course avoid @system as far as 
>> possible).
>> This is because everything @trusted need to be checked 
>> manually and this is very time consuming.
>
> This is a fallacy. All it achieves is:
>
> - Some incomplete @safe-ty checks in code that should 
> _actually_ be `@system/@trusted` (this part can be useful, but 
> OTOH you will have `@safe` annotations that are fundamentally a 
> lie).
If you want, you can take any @safe function that contains a 
@trusted block as something to be completely manually checked - 
than this system won't make any difference to the current one.

But I'm pretty sure most @trusted blocks didn't invalidate the 
safety of the whole function, because they ARE only a wrapper 
around a @system function call, and it is sufficient to check 
manually, that the system function is called in a safe way, e.g. 
with valid safe parameters.

Most prominent are wrappers around C string functions, that can 
be considered safe if the parameters are checked to have valid 
length, don't point to zero and are indeed null-terminated.
This kind of @trusted blocks are (at least in my code) the vast 
majority.
Only very seldom I do something complicated and unsafe that I 
really do trust - and then I simply mark the whole function with 
a @trusted block.
The difference is only

@trusted fn() {

};

vs.

@safe fn() { @trusted {

} };

But what we gain is that @save/@system is then a binary attribute 
and not a cumbersome tri-state anymore. Everything is either safe 
or not.

> - Unknown scope of _actual_ `@trusted`, you will have to 
> manually check _`@safe`_ code as well, and a priori you will 
> have no idea how much of it you have to check (this part is 
> terrible).

Why is this terrible? In worst case you have to check exactly as 
much code manually as you do today. But in most cases you have to 
check much less.

> It certainly does not help you minimize the number of lines you 
> have to check.

Again, why? Most @trusted blocks are isolated one-liners.