At the NSA (NSA) recommends that organizations switch from C/C++ to memory-safe languages ​​such as C#, Rust, Go, Java, Ruby, or Swift) after. C++ Father Bjarne Stroustrup responded thatin his view, the “safe” programming languages ​​mentioned in the NSA report are not actually superior to C++ for important applications.

Bjarne pointed out,The NSA’s decision ignores more than three decades of advances in C/C++; and many use cases for C++ are stuck in the distant past, ignoring improvements, including ways to greatly improve security.

Now, if I thought that any of these “safe” languages ​​were superior to C++ in the range of uses I cared about, I wouldn’t think the fading out of C/C++ was a bad thing, but it’s not. Also, “safety”, as described, is limited to memory safety, ignoring the dozen or so other ways a language could (and will) be used to violate some form of safety and security.

Bjarne said that he has been working for decades to achieve a better, safer, and more efficient C++. In particular, the work on the C++ Core Guidelines aims to provide statically guaranteed type-safe and resource-safe C++ to those who need it. A good static analyzer that complies with the C++ Core Guidelines can provide the necessary guarantees for C++ code safety and is much simpler than upgrading to a newer safe programming language.

He criticized the NSA report for focusing only on memory handling issues while ignoring many other programming language issues that affect the safety and reliability of the program. And it is recommended to use code annotations and compiler options to control the inclusion of rules to ensure that types and resources are handled safely. Given the potential damage to the project, he assured the C++ community that security issues are not ignored, but neither is security alone. So he plans to create a list of issues that can be considered security issues (including UB) and find ways to prevent them.

In addition, Bjarne recently with the InfoWorld’s email communication added,“Too many people talk about the mythical C/C++ language, only to turn around and focus on weaknesses in the C part. Many of these weaknesses are avoidable in C++ and can often be expressed more directly by the programmer by writing more efficient code intention of”.

In the email, Bjarne also shared his definition of security: the goal is type and resource safety, that is, each object is used according to its type, and there is no resource leakage. For C++, this means some runtime range checking, eliminating access through dangling pointers, and avoiding misuse of casts and unions. C++ provides high-level tools such as containers, spans, range-for loops, and variants that provide guarantees without compromising productivity or efficiency. Regarding the so-called safe languages ​​cited by the NSA, Bjarne said that all of these languages ​​are vulnerable to code that has not been statically verified. Additionally, every system must use hardware, and valid hardware access is rarely secure.

Bjarne alsoOutlines his strategy for using C++ safely:

• Static analysis to verify that no unsafe code is executed.
• Coding rules that simplify code, making industrial-scale static analysis feasible.
• Libraries that make such simplified code fairly easy to write and ensure runtime checks when needed.

There are millions of C++ programmers and billions of lines of C++ code, and major current uses of the language include aerospace, medical instrumentation, artificial intelligence/machine learning, biomedicine, high-energy physics, and more.