[yk]

Calling any Turing complete language "more secure" is probably nonsense. It is possible to write secure applications in C, and it is possible to directly pipe attacker controlled input to a shell in Haskell.

[tptacek]

I know a total of zero working security researchers who think C is just as safe as Scala.

The obvious flaw in your example: you can exec a program unsafely in both C and in Scala, but only in C can you do it accidentally simply by idiomatically copying a string from one place to another.

[yk]

My claim is not that C is just as safe as Scala, my claim is that the comparison is only valid if you do not think too hard about it. If you implicitly assume some web app, not too experienced programmers and a typical budget, then Scala is less likely to contain remote code execution bugs. But if you worry about timing attacks, then it looks a lot better for C.

[thegeomaster]

FWIW, idiomatically copying a string in C is done using strncpy, and that doesn't introduce any RCE bugs. I would not in my right mind defend the premise that C is just as safe as Scala, but the truth is that sloppy programming can do harm in every language imaginable. It just becomes about damage control.

[wglb]

Sorry, if you get the third argument of strncpy wrong, you are right back in the area of trouble.

[pbsd]

Even when you don't get it wrong (i.e., no out-of-bounds writes), you can still get out-of-bounds reads because strncpy does not always null-terminate strings. C strings suck.

[dezgeg]

To be fair, the real issue here is 'strncpy', whose destination argument does _not_ operate on C strings, despite that it's name starts with 'str'.

[tptacek]

We can repeat this subthread with examples of UAF bugs, which are equally common, if anyone really wants to get the full flavor of how wrong it is to suggest that C is comparably as safe as Haskell.

[StefanKarpinski]

Sure, you can do dangerous stuff in any language, but it's much harder to write a secure C program than a secure Python or Haskell program.

[wglb]

It is possible to write secure applications in C

Yes, but is it probable? History says no.

[bch]

History says that security is a process, not a product (or artifact). I get it that C can be difficult. Pointers allow NULL dereferencing and use-after-free, strings are open to poor handling, etc. That said: we have OpenBSD w/ their re-written string/memory management and static and dynamic analysis tools with decades of development behind them.

I'm more hesitant to crucify C than I feel others are... are we throwing out the baby with the bathwater ?

To your comment -- that a C program is probably not secure -- most code written (regardless of language) is probably junk, with different classes of errors. Its tough.

[wglb]

I was thinking of history as what actually happens as opposed to what should happen.

Assessing C#, code for example, you have at least two fewer entire classes of vulnerabilities to look for.

[jerf]

"Calling any Turing complete language "more secure" is probably nonsense."

I just wrote an article on a sensible metric by which you can do exactly that: http://www.jerf.org/iri/post/2942

A lot of people already knew that stuff on one level or another anyhow, but it's helpful to spell it out sometimes and bring subconscious feelings up to the conscious level.