Are there safer languages than others?

19

Are some languages safer than others? Or is this not dependent on the language but on the programmer?

Does the language in which a program is programmed interfere with programmer-independent security?

    
asked by anonymous 24.03.2016 / 13:48

3 answers

17

Programming languages or other types of languages are not inherently secure, or insecure. They are a means of expression. Who has to do something secure is the programmer.

Some avoid certain types of problems that cause more insecurities, others ease the error. Some languages may use libraries that may have security holes, but this is rare. Especially it is rare to have the fault in there. What is more common is the person making misuse of what has harmful potential. Library is not language. Not even the implementation of it, is at most the implementation of a plugin that is specified that the language should have.

For example, C has functions that can clearly exploit a buffer overflow . This by itself is not a security problem, the way you use such a function is that it is insecure. In the last analysis it is unsafe to use it, but not that it is insecure. You can use it without incurring security issues.

PHP, just to cite an example, is full of unsafe functions to use. Not that they cause security problems, at least not most, but the programmer has difficulty using them in a secure way. They encourage insecurity. But if you know what you're doing, you can use it. Including mysql_* functions that are considered obsolete.

So it's clear that language can indirectly interfere with security, it's just not a determining factor.

Of course you may have some specific language, probably mainstream that might have a security problem of its own, but there's a joke right there. Of course, hypothetically, someone can write a language that you write if and it opens a door for a hacker to possibly enter as an administrator. It is still a problem of the programmer who made the language and probably the one who chose to use it.

What may have more in a language is the implementation of it (the compiler) generate a security problem, but even so it falls on what I said before. This is probably something transient. You will not see in the specification of a serious language that it should do something unsafe.

To understand this you need to understand What is a programming language? and How is a programming language developed?

    
24.03.2016 / 13:58
8

In contrast to the bigown response I say that languages are inherently secure or insecure in their context of use (say OS programming or web programming) and they are one of the determining factors in the security of your application. This mentality very focused on that "the programmer has to know how to do it right", that "he is responsible" is a delay of life. The programmer is human and he is flawed, he can and will eventually go wrong, unless the language he uses to express his programs does not allow him to make the mistake.

See for example how you have tons of security loopholes always popping up in operating systems and browsers, these are usually written in C / C ++ because of simple things like writing data outside the allocated bounds of an array. You can say that it was the developers who did it wrong, that the fault of their insecurity is theirs and blah, but in the end this does not change the fact that developing something like an operating system in C or C ++ is insecure, language will enable existence of certain security breaches and inevitably these will appear in the code, and this could be avoided by language itself. See for example Rust , a low-level language developed by mozilla; one of the main reasons for its creation was precisely security, in Rust you eliminate a multitude of memory-related security holes, such loopholes being common in C / C ++ code, and the language itself solves this problem by being safe in handling memory.

Another example of a higher level is web programming, think of the classic security problem of this context, SQL injection. It is a divine commandment of web programming that you should escape your data before you play them on queries that are sent to the database (or use prepared statements), however it is not difficult to see people posting codes that do not do this right here in the oveflow stack. This is the fault of the programmer's lack of knowledge (or sloppiness), but would it be language too? yea. Nothing prevents you from designing a web language in which it is impossible to pass non-escaped data to database queries, and then, you have a language that is secure against sql injection, the problem no longer exists regardless of the programmer's action. >

Then to finish: not all security problems are affected by the language used, you put the password of your server in a code that the user can inspect is going to be insecure in any language of the universe, but in general the language in that you develop software interferes directly with the security of the same, regardless of the programmer.

    
28.03.2016 / 19:21
0

"The two things".

If the language exposes certain things to the attack, such as the possibility of null pointers being referenced and giving segfaults, then the language is insecure. It even requires you to police yourself so you do not fall into this breach!

It's like living in a house. The gate is perhaps the safest part, and you will always have to pay more attention to it: if you never forget to keep it locked, use a good lock and just open it when you cross it, well, no problem! But if you use a bad lock, or an oversight forget to lock, well, hope the thieves do not notice!

Or maybe you do not delegate the care of this gate to third parties, like in a closed condominium? Maybe you're interested in this tradeoff ...

Maybe we'll see that by looking at some extremes. For example, assembly language inherently exposes the whole machine to the programmer and is absurdly less secure, whereas Python abstracts the entire machine and is much more secure.

    
29.07.2017 / 21:30