41
Feds: Critical Software Must Drop C/C++ by 2026 or Face Risk (thenewstack.io)
submitted 7 hours ago by arendjr@programming.dev to c/programming@programming.dev
17 comments fedilink hide all child comments
all 18 comments
sorted by: hot top controversial new old
[-] sp3tr4l@lemmy.zip 39 points 6 hours ago

... Are the Feds aware that the core systems that many, many older companies (and government agencies) use are still based on COBOL?

Is... is that not of any concern?

[-] aubeynarf@lemmynsfw.com 11 points 5 hours ago

Is COBOL subject to buffer overflows and use-after-free bugs? I honestly don’t know.

I don’t recall the COBOL code I’ve read using pointers.

[-] sp3tr4l@lemmy.zip 3 points 1 hour ago

The problem I am aware of is moreso that the number of programmers that know COBOL is vanishingly small, it ... COBOL does not seem to really be taught anymore...

...so if something goes wrong at that level, you may be SOL if you cannot find an increasingly rare programmer that knows COBOL well.

[-] wewbull@feddit.uk 40 points 7 hours ago

That sounds like policy written by somebody who has no idea what the reality of software development is.

1 year to rewrite critical software in a new language?

[-] nous@programming.dev 43 points 5 hours ago

Did you read the article at all?

“Putting all new code aside, fortunately, neither this document nor the U.S. government is calling for an immediate migration from C/C++ to Rust — as but one example,” he said. “CISA’s Secure by Design document recognizes that software maintainers simply cannot migrate their code bases en masse like that.”

Companies have until January 1, 2026, to create memory safety roadmaps.

All they are asking for by that date is a roadmap for dealing with memory safety issues, not rewrite everything.

[-] IsThisAnAI@lemmy.world 1 points 5 hours ago

Solid detective work Lou.

[-] perviouslyiner@lemmy.world 14 points 7 hours ago* (last edited 6 hours ago)

Seems excessive to convert everything to rust when you can use std::shared_ptr and std::weak_ptr to eliminate the memory safety issue?

[-] arendjr@programming.dev 13 points 4 hours ago* (last edited 1 hour ago)

Using smart pointers doesn’t eliminate the memory safety issue, it merely addresses one aspect of it. Even with smart pointers, nothing is preventing you from passing references and using them after they’re freed.

[-] refalo@programming.dev 1 points 48 minutes ago

To be fair, it's entirely possible to make the same and very similar mistakes in Rust, too.

[-] psycotica0@lemmy.ca 7 points 4 hours ago

I get what you're saying, but I think the issue with optional memory safety features is that it's hard to be sure you're using it in all the places and hard to maintain that when someone can add a new allocation in the future, etc. It's certainly doable, and maybe some static analysis tools out there can prove it's all okay.

Whereas with Rust, it's built from the ground up to prove exactly that, plus other things like no memory being shared between threads by accident etc. Rust makes it difficult and obvious to do the wrong thing, rather than that being the default.

[-] magic_lobster_party@fedia.io 4 points 4 hours ago

From the original document:

Software manufacturers should build products in a manner that systematically prevents the introduction of memory safety vulnerabilities, such as by using a memory safe language or hardware capabilities that prevent memory safety vulnerabilities. Additionally, software manufacturers should publish a memory safety roadmap by January 1, 2026.

My interpretation is that smart pointers are allowed, as long it’s systematically enforced. Switching to a memory safe language is just one example.

[-] cmnybo@discuss.tchncs.de 21 points 7 hours ago

I wonder how many issues rewriting everything in another language will create?

[-] Sonotsugipaa@lemmy.dbzer0.com 12 points 7 hours ago

That is an extremely oddly specific cysec issue they're choosing to target...

[-] BlazeDaley@lemmy.world 7 points 4 hours ago

It’s one backed by a lot of data. One example is from the Android project.

The percent of vulnerabilities caused by memory safety issues continues to correlate closely with the development language that’s used for new code. Memory safety issues, which accounted for 76% of Android vulnerabilities in 2019, and are currently 24% in 2024, well below the 70% industry norm, and continuing to drop.

https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html

There’s an argument that critical infrastructure software vendors are already meeting standards for basic, non-memory related items. Yes, there are other categories, but memory safety is one that’s harder to verify. Moving to memory safe languages is an ensure a category of correctness. This excludes usage of unsafe escape hatches.

[-] MyNameIsRichard@lemmy.ml 8 points 7 hours ago* (last edited 7 hours ago)

Feds have found a way to hack rust /s?

[-] sp3tr4l@lemmy.zip 11 points 6 hours ago

DARPA has unironically been funding a tool that purports to translate C / C++ into Rust...

https://www.darpa.mil/program/translating-all-c-to-rust

[-] jia_tan@lemmy.blahaj.zone 6 points 7 hours ago

🦀🦀🦀

this post was submitted on 01 Nov 2024
41 points (88.7% liked)

Programming

17305 readers
186 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz