[jameswryan]

> And C++ just... doesn't have that many real problems.

70% of security bugs are memory safety issues. That's a lot of real problems.

> It has a lot of irks, but the problems people run into are problems that others already solved, a thousand times, over the last half century, in many different ways for many different iterations of the language.

People run into memory safety issues more often in new C++ code.

https://www.chromium.org/Home/chromium-security/memory-safet...

https://security.googleblog.com/2021/09/an-update-on-memory-...

https://github.com/microsoft/MSRC-Security-Research/blob/mas...

https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI...

https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20pre...

https://advocacy.consumerreports.org/research/report-future-...

https://alexgaynor.net/2020/may/27/science-on-memory-unsafet...

https://github.com/google/sanitizers/blob/master/hwaddress-s...

https://security.googleblog.com/2022/12/memory-safe-language...

[dxhdr]

> 70% of security bugs are memory safety issues. That's a lot of real problems.

Run your code in a WASM sandbox or on a GPU, problem solved.

[adgjlsfhk1]

"Run your code in a WASM sandbox" and then your C++ is way slower (and speed is the only reason you were using C++ in the first place)

[xmcqdpt2]

C++ compiled to wasm is just java with extra steps.

[LeFantome]

I totally agree but there are two differences:

- WASM will be available even more places than the JVM

- way more languages will target WASM than ever did the JVM

Personally, I cannot wait for a WASM future.

Being able to target WASM for the 90% of apps that it is fast enough for and being able to use the same language and libraries to target native when required….is going to be awesome.

I really like the CLR. A more widely adopted version of something similar ( WASM ) is attractive.

[pjmlp]

https://en.wikipedia.org/wiki/List_of_JVM_languages

https://en.wikipedia.org/wiki/List_of_Java_virtual_machines

https://en.wikipedia.org/wiki/List_of_CLI_languages

And this ignoring all the bytecode environments that have existed since the 1960's.

[iudqnolq]

Unless you write software that processes input from one user while having data private to another user in memory. So ... quite a lot of software

[josefx]

Which is quite risky even with memory safe languages, if the big exploits in the last decades had anything to show it is that both RAM and CPU can be abused into bypassing any protections in place.

[rng_civ]

> Run your code in a WASM sandbox

Assuming your WASM sandbox is airtight, that would work. But there are still ways to break out or cause damage because within the sandbox, its like a flat address space with 0 modern protections like ASLR, stack canaries, page protection, etc. (unless you manually compile it in yourself). See [0]

* [0]: https://www.usenix.org/conference/usenixsecurity20/presentat...

[chlorion]

There is a lot of code that can't run in a WASM sandbox, like drivers for example.

I do think more things running in WASM or WASM-like VM's could help a lot, but I'm not sure what the GPU part is supposed to mean.

[treis]

>70% of security bugs are memory safety issues. That's a lot of real problems.

Are these really real enough problems, though? If you're defending against state level attackers it's a problem. But how much do these really impact Joe Schmoe average computer user?

[tester756]

Please don't go this way.

People targeted by state level actors are people too, and software should protect them if it can, and not having mem related bugs is definitely possible :)

[alpaca128]

What makes you think state-level attackers cannot affect you? What if they hack a hospital and leak your medical data or mess with life support systems? Or make another train derail in Ohio, or disable another pipeline with a little hack in the middle of winter?

If you oppose change so much that you just shrug in the face of free 70% reduction of risk I don't know what to tell you.

[tracker1]

It's real enough for nearly every company or higher value software target... so, yes, it's a real problem. For that matter, it's real for every person using a computer on the internet.

You don't have to be the final target to be a botnet node... you don't even need to be a specific target to get a keylogger that tracks your logins for financial websites.

Yes... it is REALLY REAL ENOUGH,

[LeFantome]

Sorry, did you mean encryption ransomware? Or DDOS bot swarms? Or crypto mining hijackers? Or corporate sabotage? Or….

Because I think the answer is all of us.

Also, the targets of state level actors are using the same software as the rest of us. If ours is insecure, theirs is too. Have you seen the list of Open Source vulnerabilities the US Gov has not patched?