Is C a good choice for security-related software any longer?

Question

C is a rock-solid and widespread programming language that is very popular especially in the FOSS community.

Many security-related software (such as encryption libraries) are written in C and will probably be written in C also in the future. One of the main reasons for it is the great performance and portability of C programs. But the point is that even very experienced software developers can't prevent bugs like buffer overflows. Every year quite a lot security bugs related to memory management are found in even very popular and reviewed software.

So my question to you: Is it still a good idea to write security-related software in C nowadays? Or isn't it "security by design" to choose modern languages like Rust, Go or more high-level languages like Python?

Answer 1

The main and almost unique reason why most software in the Linux ecosystem is written in C is Tradition. Developers see software written in C, libraries with a C-based API, and thus they use C, because that's convenient. Compilers are already there, and work well because the whole OS is written in C.

None of this says that C is good for developing robust software. In fact, C is quite terrible at it. With C, the developer must remain wary of many things at all times. C has many traps ready to be sprung on the smallest mistakes, including:

• Unchecked array accesses, thus allowing for overflows.
• Manual memory management, leading to use-after-free or double-free errors, and memory leaks.
• The dreaded "undefined behaviour" that makes seemingly reasonable expressions run amok (in particular, signed operations that exceed the representable range).
• Portability issues when going to architectures with different lengths for integer types and pointers.

What C is real good at is the following:

• Interacting with an existing set of libraries that offer a C API. C is the lingua franca that allows interoperability between software components on many platforms.

What C is passably good at is:

• Writing very low-level code (e.g. crypto code resistant to timing attacks through fixed memory access patterns) while trying to keep some level of portability.

My conclusion is that C is not a good idea for writing security-related software in general, and has not been so for quite some time already (at least a decade). C is still justified in some specific contexts, in particular if you target embedded platforms (not embedded as in "smartphone", rather embedded as in "smart card"). Instead of looking for reasons to move away from C, it would be more justified to look for specific reasons to keep using C.

Answer 2

You can write secure code in C. Its just that the language is unsafe by default. The safety has to be tacked on manually with extra code (which of course can itself contain bugs).

For that reason, C was never really the best choice for security-critical software. It was used anyway in FOSS because free compilers for it have historically been available on pretty much every platform (by definition for every platform gcc supports).

The general advice for security-critical software, if you aren't tied to a specific language (like C) is to use Ada. That language is at a similar level of abstraction as C or C++, but defaults towards safety (eg: automatic bounds checking for all arrays) with the ability to add code to turn checks off, rather than the other way round.

In particular, there's a subset of Ada called SPARK that is designed specifically for safety and security-critical software. It can also be used for formal verification of software, if you are into that kind of thing.

Answer 3

First of all, for things such as encryption performance matters.

It's the difference between being able to serve hundreds of users or only 10 at a time. And this does bear some security relevance: if your servers are struggling, then they are easy to take out with a DOS attack.

If you ever benchmarked pure python code vs. native code, you will be surprised by how big the differences is.

Secondly, there is no Python/Java without C. Whichever "modern" language you look at, it uses a substantial amount of libraries underneath. And guess what, the majority of these are C libraries.

Now if you write a "security critical" library in such a language you have to worry about 1. problems in your own code 2. problems in the Java/Python code you use 3. problems in the underlying C code (there are frequent security updates to Java!) and 4. problems in the C libraries underneath that may change without you knowing (e.g. OS updates). If you want security relevant code, minimize dependencies.

The amount of C underneath is increasing, not decreasing. This may seem not obvious. But numpy, tensorflow, JavaFX, ... these all use a lot of C code underneath, because of performance.

Many problems could be avoided by careful engineering and verbose programming. For example the OSX "goto fail" bug was caused by programmers not adhering to the best practise of always using brackets...

if (a)
  goto fail;
  goto fail;
somethingelse

is an easy to miss error in most languages (except Python, where you would need two spaces less for the same problem) that can be avoided simply with verbosity:

if (a) {
  goto fail;
  goto fail;
}
somethingelse

It's not as if python would be very helpful at avoiding such problems (in fact, Java compilers would warn you about unreachable code - Python does not, and C compilers can if enabled by the user) ... In the end developer discipline remains a key factor.

C code usually requires much more care for writing; which is not a bad thing for quality. The main drawback is that it is slower to develop.

Answer 4

C has been used by millions of people for over 20 years. Its security flaws, such as the one with scanf() are well known and documented, and there are established and heavily tested workarounds.

A newer language, say perl 6 or python 3 has only been in use for a short time, few people are expert in them, security flaws may exist which are yet to be found, and critical review and documentation is sparse.

Both of these newer languages are much 'larger' than C with vastly more abilities, and it may take hugely more than 20 years before all possible programming constructs have been used, and we can be confident of their security.

Answer 5

It's low-level and totally unsafe by default. Ofcourse it's possible to write secure software -- but you have to be good at it. OTOH: C is low-level and you don't need to include libraries that might have security issues of their own -- this might be good. Also one shouldn't forget that a "secure" language means that there are programs involved which again, are a possible security issue.

Personally I would probably recommend using Rust as it can be sufficiently low-level and is focused on security too.

I would not use any non-native Code (ie. not Java, C#, etc.) except if you deliver you own Runtime. Same thing goes ofcourse to every Library you Link to but this can be avoided in contrast to non-native code.

All in all you should focus on least code possible, ie. make it as simple as you can and don't trust other code. In contrast though, if you can avoid it, don't trust yourself writing secure code -- it's usually no good.

Answer 6

The reason of C's persistence is not a tradition, but a portability and very permissive API+lib. Yes, it does not thinks for you like some high-level trash, the language was made in a strong belief, that it's just a tool for implementing your idea. If the idea itself is designed poorly/with flaws, not just security flaws - no language will totally save it. Yes, some new dumb-programmer-based "products" will try to do it's best to prevent the problem, but they will not succeed, not with all of the problems. Use brain, standard, debugger and valgrind - and you will love C for what it is.