|
|
|
|
|
|
by adev_
2254 days ago
|
|
|
By the sake of god, please stop to put C and C++ in the same basket when talking about security. It just show you do not know what you are talking about. Most security problems affecting C program DO NOT affect C++ programs. Stack smash, vla abuse, string null termination problems, goto error control, double free corruption do NOT affect C++, they are C specific. |
|
|
Which is why Google has thrown out the towel and Android 11 will require hardware memory tagging for native code, and now everything is compiled with FORTIFY enabled.
Also Microsoft research shows otherwise, https://msrc-blog.microsoft.com/2019/07/16/a-proactive-appro...
> ~70% of the vulnerabilities Microsoft assigns a CVE each year continue to be memory safety issues
So yeah, you are correct that C++ does offer the tools not to write C like security holes.
Now you just need to convince a large spectrum of companies to actually stop doing C idioms while writing C++ code.