On Monday, Russinovich called on the tech industry to leave C / C ++ behind. “Speaking of languages, it’s time to stop starting any new C / C ++ projects and use Rust in those scenarios where[garbage collected] language is required, ”he said. “For the sake of security and reliability, the industry should consider these languages obsolete.”
Speaking of languages, it's time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. For the sake of security and reliability. the industry should declare those languages as deprecated.
— Mark Russinovich (@markrussinovich) September 19, 2022
Russinovich’s rejection of C / C ++ comes as Linux’s developer Linus Torvalds reportedly confirmed that Rust’s code – except in unforeseen circumstances – will arrive in Linux kernel 6.1, a much-anticipated milestone. The Linux kernel is written in C with a few assemblers and a few gluing scripts.
Rust, designed as a hobby by Graydon Hoare, began taking shape with Mozilla in 2006 and made its public debut in 2010. It started getting serious attention as an alternative to C / C ++ in 2015 with the release of Rust 1.0.
Since then, Rust has been the most popular programming language in the annual StackOverflow survey for seven years in a row – despite its reputation for being difficult to learn – and has been integrated into projects at major tech companies.
Apple, Amazon, Google, Meta, and Microsoft, among others, use Rust to some extent or in production. Cloudflare recently burst out on Pingora, a new HTTP proxy built with Rust that increased performance and reduced CPU and memory usage.
Rust appears to be less prone to potential memory corruption errors, making software less vulnerable to attacks. Microsoft has been talking about ditching C / C ++ and exploring Rust at least from 2019, and is developing its own cloud-oriented, memory-safe programming language called Project Verona. So Russinovich’s call to depreciate C / C ++ is not unprecedented.
About 70 percent of the CVEs it has patched since 2006 are due to memory security issues, according to Microsoft. Eliminating these bugs would dramatically improve software security while reducing the cost of fixing security vulnerabilities.
Register asked Microsoft if Russinovich’s recommendation is being applied company-wide. Redmond declined to comment.
Rust itself does not guarantee the security of the software. Provides protection against memory security errors, but does not address other classes of vulnerabilities.
As the language documentation explains, “Rust includes both a secure and unsafe programming language.” Developers may choose to write Unsafe Rust for certain tasks and may accidentally create unsafe code. And Rust does not deal with attack vectors that are outside the scope of sound software design, such as social engineering. Still, it has features that recommend it.
“Rust continues to grow in popularity for its security, speed and reliability, and the support of such eminent leaders in this field is encouraging,” said Rebecca Rumbul, Executive Director and CEO of the Rust Foundation, in an email to Register. “We hope this kind of support will ultimately drive investment in Rust’s infrastructure and in the talented Rust community, so that Rust can continue to be safe and sustainable in the future.”
Register asked for comment from Bjarne Stroustrup, developer of C ++. We will update this story when we get a reply. ®
Updated to add
Stroustrup came back to us, defending the language he had invented.
“It’s not uncommon for people – especially managers – to fall in love with new and shiny things that promise to make their lives easier,” he told us.
“Also, supporting something new is much more exciting than solving known problems from older and known tools. Unfortunately, it usually takes many years and a lot of effort for new languages to fit into languages matured in their wide areas of application. Enthusiasts rarely see this and are rather one-sided in their comments. ”
“Security is of course extremely important in many contexts, which is why I have been working on increasing security in C ++ for years,” the developer of the language continued.
We can now achieve the guaranteed excellent type and memory security in ISO C ++. This means that each object is used according to the type with which it was defined
“We can now achieve the guaranteed excellent type and memory security in ISO C ++. This means that each object is used according to the type with which it was defined. This means we eliminate the use of dangling pointers, capture range errors, and eliminate data racing. Remember that every “safe” language, including Rust, has vulnerabilities that allow malicious code. ”
Referring to this document, which he co-authored, Stroustrup said: “The basic idea behind the Basic Guidelines is to define a set of rules that must be followed to guarantee security and then enforce them through static analysis. Policies are needed because they’re arbitrary. You can’t prove that your C or C ++ code is safe.
“The code follows the ISO C ++ standard, and people who don’t feel the need for security or can’t update their code yet simply can’t run the analyzer. Partial implementations of such analyzers are available in Microsoft Visual Studio and Clang Tidy and elsewhere. ”
“This, of course, is underway,” he added, “but so are the various attempts to fit C ++ flexibility and performance on a large scale in real-world applications. Billions of C ++ lines have now been implemented.
“Replacing them – or just making them safe (for different definitions of ‘safe’) – is a huge task. It is necessary to do this gradually, or else there will be a huge mass of dangerous C code and old-style C ++ “forever.” Evolutionary approaches often succeed where revolutions fail at great cost. “