The Internet can have serious problems due to languages ​​like C and C ++ that contribute to the appearance of vulnerabilities.

 3r3147. 3r3-31. Hi, Habr! I present to you the translation of the article " Internet aurait de sérieux problèmes à cause de langages comme et c ++ favorisant la survenue de failles " 3r3133.  3r3147. 3r3133.  3r3147.

But there are very few developers who care about

3r3133.  3r3147. One bug affects the iPhone, the other - Windows, and the third - servers running Linux. At first glance, these bugs have nothing in common, as they concern different platforms: Android, iOS, macOS, Windows, Linux. However, in reality, everything is different, according to Alex Gaynor, a software security engineer at Mozilla, who previously worked at USDS (United States Digital Service). 3r3133.  3r3147. 3r3133.  3r3147.
[1] [/b] 3r3355. Read more - 3r320.
, hereinafter approx. translator. 3r3133.  3r3147. 3r3143. 3r3143. 3r3133.  3r3147. During the third “Weakest Link”, the annual event organized by Motherboard Vice,
 3r3147. 3r3133.  3r3147.
[2] [/b] 3r3355. Read more - 3r3133.  3r3147. 3r3143. 3r3143. 3r3133.  3r3147. on computer hacking and cyber security in the future, Alex Gaynor raised a serious problem that, in his opinion, could threaten the Internet, but, paradoxically, leaves developers completely indifferent. 3r3133.  3r3147. 3r3133.  3r3147. Gaynor explained that the three previously mentioned bugs exist because the software they affect on different platforms was written using programming languages ​​that have an unpleasant tendency to contribute to “memory unsafety” errors, allowing access to unallocated areas of memory. 3r3133.  3r3147. 3r3133.  3r3147.
[3] [/b] 3r3355. Most likely, it was meant that accessing the 6th element of an array consisting of 5 elements is permissible, although in other programming languages ​​that are more “safe”, at least an error message will be displayed. 3r3133.  3r3147. 3r3143. 3r3143. 3r3133.  3r3147. This category of errors can lead to bugs and security vulnerabilities while accessing memory. 3r3133.  3r3147.
3r3365. 3r3133.  3r3147. By allowing for memory unsafety errors, programming languages ​​such as C and C ++ can contribute to the spread of an almost infinite stream of critical security vulnerabilities over the years. An example of these vulnerabilities is 3r3134.  3r3147. 3r3133.  3r3147.
inconsistency types
buffer overflow
overflow of integer variables
use after free vulnerability
 3r3147. 3r3386. 3r3133.  3r3147. A type mismatch can occur when a code segment does not check the type of the object passed to it and uses it blindly. This situation can be dangerous. In addition, along with the type mismatch, incorrect function pointers or incorrect data are associated with the wrong part of the code, which in some cases can lead to its execution. 3r3133.  3r3147. 3r3133.  3r3147. Buffer overflow (or "English" buffer overflow ") is a critical security vulnerability that occurs when a user enters a string that will be in an array of undersized characters. This results in writing data outside the memory area allocated for the array. HeartBleed, for example, which had an impact on 17% of secure servers on the Internet, was a buffer overflow vulnerability that could read 60KB after the end of the list, including passwords and other user data. 3r3133.  3r3147. 3r3133.  3r3147. Overflowing of integer variables is a hard-to-find vulnerability that exploits the fact that numbers cannot exceed a certain value, which depends on the number of bits used to represent them, and the encoding method. 3r3133.  3r3147. 3r3133.  3r3147. The use after free vulnerability usually occurs when using a pointer or in-memory data when the pointer (or block of memory) is already released. 3r3133.  3r3147. 3r3133.  3r3147. Together, these vulnerabilities are exploits that are most commonly found in popular software, such as Firefox, Chrome, Windows, Android, or iOS. Gaynor has already counted at least 400 and claims: “I have followed the security of these projects for more than a year, and in almost all versions of these products more than half of the vulnerabilities are“ memory unsafety ”. And even more alarming is the fact that the heavy and critical vulnerabilities[]almost always have this type. ” 3r3133.  3r3147. 3r3133.  3r3147. Despite the significant risks associated with the security of software that they support, programming languages ​​“memory unsafety friendly”, such as C or C ++, are still used by developers, while proven alternatives, such as Rust, Swift, that can be considered as languages ​​“memory safe”, rare. 3r3133.  3r3147. 3r3133.  3r3147. This may be due to the fact that for a new project, developers tend to choose a programming language based on languages ​​that their team knows, performance, and library systems that can flow from this choice. When making decisions, the security component associated with this is almost never considered, or at least is considered insufficiently, Gaynor believes. 3r3133.  3r3147. 3r3133.  3r3147. In addition, most software projects, even the most important ones for Internet security, are not new. They were launched ten years ago, if not more. Linux, OpenSSL and the Apache web server, for example, for more than twenty years. For large-scale projects like these, rewriting all the code in a new language is not an option. They must be transformed gradually, which means that projects must be written and saved in two different languages ​​instead of one. It also implies the need to form a large team, which takes a lot of time and requires more funds. 3r3133.  3r3147. 3r3133.  3r3147. The biggest problem, finally, is related to the fact that many developers do not believe at all that a problem exists. They believe that the problem is not that languages ​​such as C or C ++ contribute to the emergence of vulnerabilities, but in other programmers who write code with errors. They believe that there are no problems with these supposedly “memory unsafety friendly” languages, because no code is perfect, people just do not know how to use them. 3r3133.  3r3147. 3r3133.  3r3147. And what do you think about this? 3r3133.  3r3147. 3r3133.  3r3147.
3r3133.  3r3147. I note that the sound criticism of the translation is also welcome. 3r3133.  3r3147. 3r3133.  3r3147. Thanks for attention! 3r3143. 3r3147. 3r3147. 3r3147. 3r33140. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e. ): d ()}}} t ("//"""_mediator") () (); 3r3141. 3r3147. 3r3143. 3r3147. 3r3147. 3r3147. 3r3147.
+ 0 -

Add comment