On Wednesday, 6 June 2012 at 22:04:27 UTC, J.Varghese wrote:
I'm sure most of you have heard of the recent increase of high
profile hacking and security violations. The PlayStation
Network,
RSA, LinkedIn, (today) and thousands of lower profile attacks.
The Flame trojan also marks the rise of highly sophisticated
state-sponsored cyberweapons.
I'm not a programmer, so can someone explain this to me: Will
programs and operating systems written in D be safer (I speak of
both memory safety and security bugs) than existing operating
systems written in C and C++? If so, what features and
attributes
of D make this the case? How much safer is it? Would it be
possible to identify all the bugs in an OS written in D (within
a
reasonable timeframe) or is that still a pipedream?
Thanks for replying. I have followed the development of D for a
while. I just want to know how much safer D is than other
languages. Curiosity and all that.
D has a few language features that help to minimize exploits:
- slices
- bounds checking
- more restrict type checking
- GC
- reference parameters
- proper strings
- security layers among modules (system, trusted, safe)
Most C and C++ security exploits are due to:
- pointer arithmetic
- null terminated strings
- lack of bounds checking on array access
- usage of pointers to change input arguments
Sure enough, static analysis tools can help, but not everyone
makes
use of them. Note that C++ library can help, but requires that
the developers
play by the rules.
But no language is 100% full proof. You still need to take care
data
is properly handled (SQL, passwords, etc) and if the OS does not
provide
the proper security mechanisms, you can still tweak the assembly
code.
--
Paulo
