←back to thread

Hacktical C: practical hacker's guide to the C programming language

(github.com)
218 points signa11 | 1 comments | 14 Apr 25 10:20 UTC | HN request time: 0.207s | source
Show context
lou1306 ◴[14 Apr 25 13:31 UTC] No.43681059[source]
> Using a stricter language helps with reducing some classes of bugs, at the cost of reduced flexibility in expressing a solution and increased effort creating the software.

First of all, those languages do not "help" "reducing" some classes of bugs. They often entirely remove them.

Then, even assuming that any safe language with unsafe regions (Rust, C#, etc) would not give you comparable flexibility at a fraction of the risk... if your flexible, effortless solution contains entire classes of bugs, then there is no point in comparing "effort". You should at least take into account the effort in providing a software with a high confidence that those bugs are not there.

replies(3): >>43681118 #>>43681160 #>>43684056 #
immibis ◴[14 Apr 25 13:36 UTC] No.43681118[source]
If the language has unsafe regions, it doesn't entirely remove classes of bugs, since they can still occur in unsafe regions.

(Predictable response: "But they can only occur in unsafe regions which you can grep for" and my response to that: "so?")

replies(4): >>43681325 #>>43681630 #>>43682375 #>>43682796 #
lou1306 ◴[14 Apr 25 15:28 UTC] No.43682375[source]
No matter whether you are using C for "freedom" or "flexibility" of "power", 95% of the time you only need that in a very small portion of your codebase. You almost definitely do _not_ need any of that in, say, the logic to parse CLI arguments or config files, which however is a prime example of a place where vulnerabilities are known to happen.
replies(2): >>43684158 #>>43690766 #
1. pjmlp ◴[15 Apr 25 09:39 UTC] No.43690766[source]
Which is in the past I would reach out to something like Perl on its heyday, given its coverage of UNIX API as part of the standard library, for anything manipulating CLI tools or config files.

Nowadays pick your scripting language, and if C is really needed, cleanly placing it in a loadable module with all security invariants into that scripting, or managed language, instead of 100% pure C source.

My solution since early 2000's.