Exploits and Bugs like WannaCry, Heartbleed, and Zero-Day might seem unrelated and unrealistic at first glance, but all of them share one root cause and that is common in popular coding languages like C and C++.
A report from Motherboard stated that this issue belongs to a category of errors called “memory unsafety,” which exists in decade-old programming languages like C and C++.
What is Memory Unsafety?
Alex Gaynor a software developer from Washington D.C provides an example of a program where there is a list of 10 numbers.
Theoretically, when someone asks for the 11th element, the program is expected to show some sort of an error, or at least that’s what a “memory safe” programming language (like Python or Java) would do.
But in the case of memory-unsafe languages like C and C++, the program looks up for the 11th element wherever it is supposed to be or if it existed and surely access its content. This is called a “buffer overflow” vulnerability that is exploited by bugs like HeartBleed.
And this isn’t the only one. There are various types of memory unsafety vulnerabilities with C and C++ such as:
- Type confusion: it mixes up the type of value that exists at a place in memory
- Use after free: it uses a piece of memory even after you are done with it
- Use of uninitialized memory: it uses a piece of memory even before you’ve stored anything on it.
The worst part is that these vulnerabilities are widespread in widely used software such as Firefox, Chrome, Windows, Android, and iOS.
So why are we still using the C and C++?
It’s true that right now we have some new programming languages that are memory safe for example Python, Java, Rust, and Swift. But they are used in a relatively smaller number of projects and software.
Important software projects like OpenSSL, Linux, and the Apache web servers are decades old, and they have grown massively in size over time as well. So, simply rewriting them in a new language is an insanely difficult task to do.
Such huge projects need to be incrementally migrated, but again, it requires a lot of time, money and effort. It also means that radical changes will be required in software development teams across companies around the world — which is another obstacle.
But above all, a major reason is that no aspiring coder or programmer considers the security aspect of a language while choosing a programming language to learn. It isn’t taught by educational institutions either. So keep this in mind.
On the other hand, developers don’t want to deal with it as many of them believe that it’s not the language fault, rather it’s the other engineers who write buggy codes.