Why C/C++ programs are vulnerable Link to heading

C and C++ are popular programming languages that are widely used in a variety of applications, from operating systems to video games…

Why C/C++ programs are vulnerable Link to heading

C and C++ are popular programming languages that are widely used in a variety of applications, from operating systems to video games. However, they are also notoriously memory unsafe and prone to security vulnerabilities, so much so that National Security Agency (NSA) publicly urges organizations to move away from C/C++. In this story, I will explore why programs written in C/C++ are so susceptible to memory-related bugs and provide concrete examples of how these vulnerabilities can lead to security exploits. I will also discuss alternatives to C/C++ that offer more built-in memory safety features.

Why pick on C/C++? Link to heading

C and C++ are prone to memory-related vulnerabilities for mainly two reasons.

1. They provide low-level control over memory management, which can be both a strength and a weakness—it eliminates the performance overhead of garbage collection, but at the same time requires programmers to carefully manage memory allocations and deallocations, which can be difficult to do correctly and securely.
2. C/C++ lack built-in safeguards against common memory-related bugs like buffer overflows and use-after-free errors. While modern compilers can help detect some of these bugs, they are not foolproof and may miss some vulnerabilities.

Other popular modern languages, such as Java, C#, or Python, provide built-in memory safety features like automatic memory management, which can help prevent common memory-related vulnerabilities.

Memory-related vulnerabilities in C/C++ Link to heading

Memory-related vulnerabilities in C/C++ are a common cause of security exploits. Some of the most well-known memory-related vulnerabilities in C/C++ include buffer overflows and use-after-free errors. Let’s take a closer look at each of these.

Buffer overflows occur when a program tries to write more data to a buffer than it can hold. This can overwrite adjacent memory, causing unpredictable behavior or even crashing the program. In some cases, a buffer overflow can be used to overwrite critical data or inject malicious code into a program’s memory, leading to arbitrary code execution.

The code below shows a buffer overflow vulnerability. If the user input argv[1] is longer than 10 characters, it will overflow the buffer. An attacker could use this vulnerability to execute arbitrary code by carefully crafting the input string. To avoid this, the programmer should check the length of the user input before copying it to the buffer. Java, for example, automatically checks the array bounds, so the programmer does not have to worry about this.

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
  char buffer[10];
  strcpy(buffer, argv[1]);
  printf("%s\n", buffer);
  return 0;
}

Use-after-free errors are a type of memory corruption bug that happens when a program tries to use memory that has already been deallocated. This can lead to various problems, such as program crashes, unexpected behavior, or security vulnerabilities. For example, a use-after-free error can allow an attacker to execute malicious code or take over the program’s execution.

To illustrate this, let’s look at the code snippet below. The variable c is a reference to the first element in the queue q. However, when the queue’s pop() method is called, the element is removed from the queue and its memory is freed. This means that c becomes a dangling reference, i.e., a reference to an invalid object. In the next line, the program tries to write to the memory location pointed by c, which is not allowed. This could potentially overwrite some important data or instructions in the program’s memory. In languages that manage memory automatically, this would not happen, as the object will not be released until all references go out of scope.

#include <queue>
using namespace std;

int main() {
  using Point = pair<int, int>;
  queue<Point> q;
  q.push(Point(1,2));
  Point &c = q.front();
  q.pop();
  c.first = 3;
  return 0;
}

C/C++ are powerful programming languages that offer low-level control over memory management. However, this also exposes them to memory-related vulnerabilities, such as buffer overflows and use-after-free errors. These vulnerabilities can compromise security and allow attackers to execute arbitrary code. In the modern world, where security is paramount, we as developers should prioritize memory safety over performance optimization whenever possible. Therefore, we should choose memory-safe alternatives over C/C++ when the situation allows, just as NSA urges.

There are several programming languages that are designed to be more memory-safe than C/C++, such Java, C#, and Rust. These languages provide built-in memory safety features to help prevent common memory-related vulnerabilities. While these languages may require a learning curve for programmers familiar with C/C++, they can provide significant benefits in terms of code security and reliability.