0

I am a computer science student interested in the field of security and just had a few questions.

What are the pros and cons for using C# for security purposes, I had assumed applications programmed in C# would be more prone to hacking etc. than C++ due to it being a higher level language and therefore being less "powerful" however I have read up online that C++ and C are not usually recommended for security reasons as buffer overflows cause a lot of security problems.

What are the "best" and "worst" programming languages to learn for security and why? Does it just come down to preference?

Apologies for the vague questions, I am still a beginner, please correct me if I have made any mistakes.

Thanks in advance!

Rav
  • 3
  • 3
  • First, define what you mean by Security. People that are bashing C# are most certainly doing this because C# code can be easily *reverse-engineered*. But this has nothing to do with this code's security w.r.t. user experience — user doesn't suffer from using non-obfuscated code. If you are interested in languages that reduce chances of making mistakes (related to security and mistakes in general), then try looking at high level functional languages: Haskell, Agda, etc. – Display Name May 22 '14 at 15:08
  • @SargeBorsch Yeah that's what I thought, C# heavily relies on default Microsoft references with the using statements at least it does from my experience with it. I mean security as in cyber-security, ensuring that a program or site is safe from crackers. I know that is both very broad and vague explanation but I have decided to pursue cyber-security out of personal interest for now and am still very new to it. – Rav May 22 '14 at 15:16
  • One of the reasons C++ is considered "less secure" is because it is a more powerful language and can do stuff that other languages can't if the OS doesn't stop it, such as reading memory it shouldn't (which may let it get at passwords) and writing over other application's memory which can let it inject its own code in another application. – Travis Pessetto May 22 '14 at 15:17

2 Answers2

2

Lower level languages like C and C++ may be referred to as "unsafe" languages because it places a lot of responsibility on the programmer to get things right. For example, when you access and array element arr[i] the C compiler assumes that the programmer knows what he is doing and that i is a valid index for array arr.

Higher level languages such as C# and Java treat the programmer like an idiot and do runtime checks to make sure that arr points to a valid memory location, that i is a valid index for this array, etc. These runtime checks add overhead but in consumer applications where efficiency is not as paramount as keeping development cost low.

If you are interested in security then I would suggest that you study C and C++ since you will come face to face with issues like buffer overflows, heap corruptions, use after frees etc.

Higher level languages like Java are designed for people who don't know or care about security and does all it can to hide these problems from both the user and the programmer, which will not help you learn about these problems, it will just teach you to ignore them.

Many applications are written in high level languages but low level languages will always be relevant because someone needs to build the platforms that run the higher level stuff. Nearly all Java runtime environments are written in C++ and nearly all operating systems are written in C. Scripting languages such as Python Ruby and Perl are written in C. Ruby might be a safe language to program in but there could always be a bug in the underlying virtual machine.

user2675345
  • 1,651
  • 9
  • 10
0

Each language, I suppose, has its own pros and cons from security perspective, but I'm not sure if they can necessarily be classified on the worst-to-best scale.

Many languages, for example, are domain specific, and thus a whole category of security implications may not be applicable to them (or even make them comparable). For example, SQL is a language, but is not a stack-based one, and so it doesn't have a concept of a call-stack (exec statement notwithstanding) and thus stack corruption attacks are not applicable to the SQL language itself (but may still be applicable to SQL DB and/or parser). So you could argue that it's safer (i.e. "better" as you defined it) though I don't really see how you can compare the two as the two have vastly different in capabilities, applicability, purpose, etc.

In other cases, languages may be implementation dependent. In other words, it depends on the interpreter / compiler following the language specifications and specifications being unambiguous. It itself can fall to coding / logic errors.

C# certainly has some mechanisms built into the language/framework that solves some of the pain-points when compared to C/C++. Buffer overflows is certainly one popular attack vector as it is way too easy to make this category of mistake in C/C++, and C# makes it harder (not impossible though as it does allow unsafe constructs), but also has its pitfalls. (That said, given a choice and suitability of both languages for a given task, I'd likely choose C# over C++ in part for it making some of these aspects easier to deal with.) However, vulnerabilities such as SQLI or XSS are not language dependent (though perhaps framework-dependent) but rather are errors of data sanitation / logic. I suppose a website developed in any language (as opposed to framework) would have susceptibility to XSS/SQLI if not careful. Most certainly no language can definitively protect from programmer exposing data that shouldn't be exposed due to logic errors.

Community
  • 1
LB2
  • 420
  • 2
  • 8