Log in

No account? Create an account

Cloudflare's little problem, and using C

« previous entry | next entry »
Feb. 25th, 2017 | 12:27 pm

A lot's been written already about Cloudflare's recent issue. The short version is that a bug in HTML parsing in certain Cloudflare modules lead to the inadvertant exposure of potentially sensitive data. There's detailed background information here, straight from the horse's mouth; and if you believe the talking heads that suggest you will be Safe™ if and only if you change your password on all sites using Cloudflare, someone has taken it upon themselves to attempt and compile an extensive list.

I'm not gonna dwell on any of this. What's more interesting is the fact that this is, fundamentally, a buffer overrun. That's the sort of bug that's possible in C but not in memory-safe languages, which predictably lead to arguments between the respective proponents of the two, with the former crying "don't blame the tool, blame the user for not using it right" and the latter replying "a tool that is that difficult to use safely is still a bad tool".

The latter attitude is summed up quite well in this quote on LWN:

Let me say that more explicitly and emphatically: *C (and whoever selected C) is at fault*.

You want to get from point A to point B. You see people running a three-legged race from A to B, via an icy road, wearing one roller blade and one ice skate, while pair-juggling three chainsaws with exposed wires and no blade guards, powered by hypergolic rocket fuel and plutonium. You can't help but marvel at the skill required. When you observe one of the inevitable impromptu flaming-amputation-splenectomies, your first reaction shouldn't be to analyze the very last thing they did leading up to it and decide you can avoid making that mistake yourself. Nor should you interview the people who make it to the end and ask them for their detailed advice on safer techniques for maintaining a grip on the chainsaws while sliding through the turns. Nor should you seek out gloves that offer a better grip. *The biggest mistake is getting involved with that whole mess in the first place.*

That analogy is as appropriate as it is amusing. Of course it is perfectly possible to use C safely, but humans make mistakes, even smart ones, and mistakes may not be obvious (even after close, independent scrutiny by several experts), and they may be quite fatal. A good tool fails gracefully and safely, and C doesn't.

I've been saying for many years that C is basically an optimizing macro assembler with automatic register allocation. In particular, C is an assembly language. C offers the same amount of protection that assembly does – read: none –, and if you don't feel comfortable programming in assembly then you shouldn't program in C either. (In fact pure assembly is arguably less dangerous than C, because the lack of the usual higher-level facilities that C provides means that people won't be tempted to use assembly.)

And that's before the C compiler is actively and deliberately sabotaging your code. (Here's another post mentioning the same thing.)

Link | Leave a comment | Share

Comments {0}