Are programs/OSes written in D more secure than programs written in C/C++?
Kapps
opantm2+spam at gmail.com
Wed Jun 6 20:18:13 PDT 2012
On Wednesday, 6 June 2012 at 22:04:27 UTC, J.Varghese wrote:
> I'm not a programmer, so can someone explain this to me: Will
> programs and operating systems written in D be safer (I speak of
> both memory safety and security bugs) than existing operating
> systems written in C and C++? If so, what features and
> attributes
> of D make this the case? How much safer is it? Would it be
> possible to identify all the bugs in an OS written in D (within
> a
> reasonable timeframe) or is that still a pipedream?
>
D helps with a few security bugs related to memory by making a
few things nicer.
But probably not the ones you're thinking of. The VAST majority
of security problems you hear of are simply due to stupidity. SQL
injection is probably one of the most common exploits now-a-days,
and no programming language will save you from that. These
exploits aren't directed to the language, but rather to external
software / protocols and libraries to interface with them. For
example, with SQL, you send a message to an external program (a
database). SQL injection then is an attacker being able to put in
their own things into that message when the server sends the
messagew with your input.
However, in your libraries, there are ways to prevent certain
bugs that are present in D but not so much in most other
languages. For example, with most other languages, if you want
someone to input a string to your function (in this case a string
that represents a message to send to a SQL database), you don't
know how that string was formed. In D, you could guarantee that
this string was determined at compile time and thus prevent any
strings that are made with user input, and thus completely
prevent SQL injection. SQL databases have a protocol where you
can send the input fields seperately, and just have the original
message refer to them instead of give the actual values, and
that's what you would use here. Again though, this is just D
providing a feature for a library to use, not something that the
D compiler will do for you.
More information about the Digitalmars-d
mailing list