Bugs and exploits like Heartbleed, WannaCry, and Zero-Day might seem unrelated at first glance, but all of them stem from an issue that is common in popular coding languages like C and C++.
According to a report by Motherboard, this issue belongs to a category of errors called “memory unsafety,” which exists in decades-old programming languages like C/C++.
What is Memory Unsafety in programming languages?
Alex Gaynor gives an example of a program that has a list of 10 numbers. Theoretically, in an event where someone asks for the 11th element, the program is expected to show an error of some sort, or at least that’s what a “memory safe” programming language (like Python or Java) would do.
However, in case of a memory unsafe language like C/C++, the program looks for the 11th element wherever it is supposed to be (if it existed) and accesses its content. This is called a “buffer-overflow” vulnerability that is exploited by bugs like HeartBleed to access up to 60 KB data past the end of a list — that often includes passwords and other sensitive data.
And this isn’t the only one. There are various types of memory unsafety vulnerabilities with C/C++ such as:
- Type confusion: it mixes up the type of value that exists at a place in memory
- Use after free: it uses a piece of memory even after you are done with it
- Use of uninitialized memory: it uses a piece of memory even before you’ve stored anything on it.
The worst part is that these vulnerabilities are prevalent in widely used software such as Firefox, Chrome, Windows, Android, and iOS.
So why are we still using C/C++?
At present, we have new programming languages that are memory safe such as Python, Java, Rust, and Swift. But they are used in a relatively smaller number of projects and software.
Important software projects Linux, OpenSSL, and the Apache web servers are decades old, and they have grown massively in size over time. Simply rewriting them in a new language is an insanely difficult task.
Such gigantic projects need to be incrementally migrated, but again, it requires a lot of time and money. It also means that radical changes will be required in software development teams across companies around the world — which is another obstacle.
But above all, a major reason is that no aspiring coder considers the security aspect of a language while choosing a programming language to learn. It isn’t taught at educational institutions either.
On the other hand, developers don’t want to deal with it either, as many of them believe that it’s not the language itself, which is at fault, rather it’s the other engineers who write buggy codes.