Page 54 - EE Times Europe Magazine

Page 54 - EE Times Europe Magazine – June 2024

P. 54

54 EE|Times EUROPE

Is C/C++ Memory-Safe?

compiles using GCC and executes without error, but in a real-world “I feel people pin a lot on C,
application, the arbitrary data 43690 might cause unpredictable appli- but actually [the
cation behavior or provide an adversary with confidential information. memory-safety problem] also
Commercial toolchains may offer compile-time options to trap such has to do with the way the
errors, but at the penalty of compiler performance. Interestingly, if the ecosystem of tools around
code is edited to write beyond the array size, compilation fails with a the language has developed,”
stack smash error. she said. “They have always
been chasing performance
IS RUST A VIABLE CONTENDER FOR EMBEDDED DEVELOPMENT? over safety. There are no
Of all the memory-safe languages identified by the NSA, Rust is the commercially viable
only contender for embedded systems. The argument for its use is that memory-safe C compilers
a memory-safe language doesn’t require the developer to implement available at the moment,
special memory protection measures; the coding example highlighted but it’s not theoretically
above would fail during execution. But while Rust could potentially impossible.”
move embedded development to another level of memory protec-
tion and CVE mitigation, the impact is massive for the development CODE REUSE, REWRITE
community. There is also the fear that entrusting the language with CHALLENGES
identifying such errors further removes developers from following best Witekio’s Camden Dixie O’Brien Another perspective on the
coding and testing practices. complexities of considering
EE Times Europe asked three embedded development experts to a replacement language for C came from Graeme Wintle, co-founder of
assess the reality of memory safety in C/C++ and the viability of NSA ByteSnap (Birmingham, U.K.): “Memory-safe languages like Rust are
recommendations to use a memory-safe language like Rust. obviously different [but] not that different. Someone with a good grasp
of C would appreciate the basic mechanics of [a language like Rust]. But
ARE THERE WORKAROUNDS FOR C/C++ VULNERABILITIES? you will probably need a clean sheet of paper. You’re not going to be
Bluefruit Software (Redruth, U.K.) is well aware of the memory-safety able to write anything without going through retraining.”
challenges, and “the way that we’re working around it is with best Wintle pointed to the wealth of resources available for a 52-year-old
practices—something that is very important to us,” said director Paul language like C. “There is so much code there, and a lot of it you don’t
Massey. “We use a test-driven development approach on all our proj- really want to reuse, but there is probably a good amount you do want
ects. It’s a bare-minimum to reuse,” he said. “You’re potentially throwing a lot away, or you’re
hygiene practice. In itself, it getting the worst of both worlds by bridging a new, safe environment
doesn’t ensure your memory with some unsafe code on the basis that it’s [already] there, and we’d
is safe, but there’s a set of need to use it rather than rewrite it all again. It’s a difficult one.”
sub-practices within how we
do the test-driven develop- CUSTOMER TRANSPARENCY ON LANGUAGE DECISIONS
ment that can help mitigate Massey told EE Times Europe, “We are programming in Rust more
the risks around memory frequently. It’s becoming more common, but the way that we work with
safety.” our customers is that they are outsourcing their embedded software to
Massey said that Blue- us. We maintain a high degree of transparency in the way that we work
fruit Software tends to use with customers, so decisions like language, the approach to memory
C++ rather than C and that safety, are things we would talk with them about. We would discuss
well-architected object- whether Rust is a good choice on a project-by-project basis.”
oriented code can mitigate Asked whether some
memory-safety problems. He customers were more
added that C++ makes code amenable to Rust, Massey
more testable, supporting answered, “Definitely, and
the company’s use of unit for good reasons. There
testing together with a com- are always lots of factors
Bluefruit Software’s Paul Massey prehensive set of practices. to consider, and we view
language to be an archi-
FEASIBILITY OF A MEMORY-SAFE C COMPILER tectural choice.”
Camden Dixie O’Brien, software engineer at Witekio (Lyon, France, and If a customer decides
Bristol, U.K.), posited that C’s unsafe reputation might not come down to go with Rust, there are
to the language itself. “A lot of the unsafe aspects of C actually have to longer-term implications.
do with the way that C is specified and standardized,” she told Massey said customers
EE Times Europe. “The C standard is full of things with undefined must consider how they
behavior, and that’s to allow for highly performant implementations, will support the project
like highly performant compliers, to generate really efficient code. after the Bluefruit team
“Unless you stick precisely to the defined semantics of the language has delivered it. There
and standardized behaviors, you can easily come to a point where you are fewer Rust developers
are using undefined behaviors,” O’Brien said. “Such behaviors, along than C++ programmers ByteSnap’s Graeme Wintle
with the fact that everyone today uses optimizing compilers, is what available for hire, and “we
really makes C unsafe.” are honest with customers about this,” he said, as “it might be a domi-
You could make a memory-safe compiler if you wanted to, O’Brien nating factor for them. Also, the tools and libraries for Rust are not as
added, but it would be far slower than the C compilers available today. mature as they are for C++.”

JUNE 2024 | www.eetimes.eu

49 50 51 52 53 54 55 56 57 58 59