For those of us who write kernel mode / ring0 code, what language are you suggesting we write in? Name a good typesafe language that you have PRACTICALLY seen to write kernel mode code in. Especially on Windows and the Linux platform. I am not trying to fuel the argument over which language is better, it comes down to the right tool for the right job. I know back in December ljknews suggested PL/I and Ada, but who has actually seen production code in either Windows or Linux using it?
Lets face it. You aren't going to normally see Java or C# in kernel code (yes I am aware of JavaOS and some guys at Microsoft wanting to write everything in their kernel via managed code) but its just not going to happen in practice. C and ASM is the right tool in this area of code.
I said this back in December and think its worth repeating. What is the C language downfall is also its best strength. It is a double edged sword that really SHOULD be mastered by those who need it, but by many is treated like a child's $5 plastic toy... wielded by the inexperienced who don't know any better. The reality is instead of avoiding it, we should include the proper teachings to use it safely, and correctly. I think that if we try to sidestep the issue, we will end up using the wrong tool at the wrong time. We shouldn't fear using languages like C and C++, we just need to know its place, know its fallibilities and deal with it.
Cripin is right; new code SHOULD be written in a type safe language unless there is a very strong reason to do otherwise. The reality is that many developers don't know when that right time is. And resulting is poor choice in tools, languages and structure. I'd love for someone to show me... no... convince me, of a typesafe language that can be used in such a place. I have yet to see it for production code, used on a regular basis.
Now whats interesting is that some people are starting to get this. If you look at some of the latest DDK builds coming out of Microsoft you now see advancements in tools to handle this. Tools like prefast can do a lot to analyze code, and the new Static Driver Verifier goes to the next level when tracing code execution paths and checking for faults in drivers traditionally written in C. They further extend that with safer string functions (<ntstrsafe.h>) and deeper inspection in code as well as lots of training to bring people up to skill in secure programming through some of their MSDN webcasts. Now, I am NOT saying Microsoft is the company I would look to for a model in this area, but I am seeing the effort there. The trick is actually educating the developers to use the tools, and use them properly. (RATS and StackGuard were some good ones Crispin pointed out).
Its the right tool for the right job. And although you can pound a square peg through a round hole if you beat it hard enough... it doesn't mean its the right thing to do. Nor is right to assume you can use typesafe languages as the panacea for secure coding.
-- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/]
