![]() Garbage collected languages need a concept of nothing so that a pointer can be freed when unused. Null is infamous for being the worst invention in programming. I come from a Java/JavaScript background, and we are used to the concept of null. Then there is also null safety which is kind of related to memory safety. It was the invention of the null reference in 1965 In these scenarios, a crashing program is a good thing as it won’t cause a security vulnerability. ![]() Such behaviors are categorized as undefined they are unpredictable and cause security vulnerabilities rather than just crashing the program. ![]() Sometimes a program continues to use a pointer after it has been freed, and that’s called a use-after-free (UAF) error or a dangling pointer error. In C or C++, you can access the memory of another variable by mistake, or you can free a pointer twice that’s called double-free error. But some languages are unsafe by default-for example, C and C++. So, why is this a big deal? Don’t all major programming languages ensure this? In other words, you will not be reading or writing into the memory of another variable or pointer by mistake, regardless of what you do in your program. In a memory-safe language, when you access a variable or an item in an array, you can be sure that you are indeed accessing what you meant to or are allowed to access. There are four if you count null safety as distinct from memory safety, but we’ll group those two together today. When we talk about “safety” in programming, we mean some combination of three distinct things: memory safety, type safety, and thread safety. Programming safety = Memory safety + Type safety + Thread safety If you would rather follow along by watching a video, check out the video of the talk I made on the same topic, at FOSDEM’22, below from the OktaDev YouTube channel. What is safe programming, or to be more precise, what does being safe mean for a programming language? Or rather, what does unsafe mean? Let’s set the context first. ![]() But looking back, I think programming security is something every programmer should be aware of and should be taught at a junior level. I have to confess I didn’t know a lot about these in the early years of my career, especially since I didn’t come from a computer science background. As programmers, how many of you have a good understanding of programming safety or secure programming? It’s not the same as application security or cyber security. ![]()
0 Comments
Leave a Reply. |