Updated Microsoft Azure CTO Mark Russinovich has had it with C and C++, time-tested programming languages commonly used for native applications that require high performance.
On Monday, Russinovich urged the technology industry to leave C/C++ behind. “Speaking of languages, it’s time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-[garbage collected] language is required,” he said. “For the sake of security and reliability, the industry should declare those languages as deprecated.”
Speaking of languages, it's time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. For the sake of security and reliability. the industry should declare those languages as deprecated.
— Mark Russinovich (@markrussinovich) September 19, 2022
Russinovich’s dismissal of C/C++ arrives as Linus Torvalds, the creator of Linux, has reportedly confirmed that Rust code – barring unforeseen circumstances – will appear in version 6.1 of the Linux kernel, a much-anticipated milestone. The Linux kernel is written in C with some assembly and some glue scripts sprinkled in.
Rust, designed by as a hobby by Graydon Hoare, started taking shape at Mozilla in 2006 and debuted publicly in 2010. It began to attract serious attention as an alternative to C/C++ in 2015 with the release of Rust 1.0.
Since that time, Rust has been the most loved programming language in the annual StackOverflow Survey seven years running – despite its reputation for being difficult to learn – and has been integrated into projects at major technology companies.
Apple, Amazon, Google, Meta, and Microsoft, among many others, use Rust in some capacity or in production. Cloudflare recently gushed about Pingora, its new HTTP proxy built using Rust, which has boosted performance and reduced CPU and memory usage.
Rust seems less prone to potential memory corruption bugs and this makes software less vulnerable. Microsoft has been talking about dumping C/C++ and exploring Rust at least since 2019 and has been developing its own cloud-oriented memory safe programming language called Project Verona. So Russinovich’s call to deprecate C/C++ is not without precedent.
According to Microsoft, about 70 percent of the CVEs it has patched since 2006 are due to memory safety issues. Eliminating those bugs would dramatically improve software security while reducing the cost of vulnerability remediation.
The Register asked Microsoft whether Russinovich’s recommendation is being adopted company-wide. Redmond declined to comment.
Rust alone will not guarantee software is secure. It provides a defense against memory safety bugs but does not eliminate other classes of vulnerabilities.
As the language documentation explains, “Rust contains both a safe and unsafe programming language.” Developers may choose to write Unsafe Rust for certain tasks and they may create unsafe code unintentionally. And Rust does not address attack vectors that are beyond the scope of sound software design like social engineering. Nonetheless, it has qualities that recommend it.
“Rust continues to grow in popularity for its security, speed and reliability, and it is encouraging to see this support from such prominent leaders in this field,” said Rebecca Rumbul, executive director and CEO of the Rust Foundation, in an email to The Register. “We hope that this kind of support ultimately drives investment in Rust infrastructure and in the talented Rust community, so that Rust can continue to be safe, secure and sustainable for the future.”
The Register asked Bjarne Stroustrup, creator of C++, to comment. We’ll update this story when we hear back. ®
Updated to add
Stroustrup got back to us, defending the language he invented.
“It is not unusual for people – especially executives – to become enamored with new and shiny things that promise to make their lives easier,” he told us.
“Also, backing something new is far more exciting than addressing the known problems of older and well-known tools. Unfortunately, it usually takes many years and major efforts for new languages to match mature languages in their wide application areas. Enthusiasts rarely see that and tend to be rather one-sided in their comments.”
“Safety is obviously critically important in many contexts, so I have worked on increasing safety in C++ for years,” the language’s creator continued.
We can now achieve guaranteed perfect type and memory safety in ISO C++. That is, every object is used according to the type it was defined with
“We can now achieve guaranteed perfect type and memory safety in ISO C++. That is, every object is used according to the type it was defined with. That implies that we eliminate uses of dangling pointers, catch range errors, and eliminate data races. Note that every ‘safe’ language, including Rust, has loopholes allowing unsafe code.”
Referring to this document, which he co-authored, Stroustrup said: “The basic idea of the Core Guidelines is to define a set of rules to be followed to guarantee safety, and then enforce them with static analysis. The rules are needed because arbitrary C or C++ code cannot be proven safe.
“The code is ISO standard C++ and people who don’t feel the need for safety or can’t yet update their code can simply not run an analyzer. Partial implementations of such analyzers are available in Microsoft Visual Studio and Clang Tidy, and elsewhere.”
“This is obviously work in progress,” he added, “but so are the various attempts to match C++’s flexibility and performance at scale in real-world applications. There are billions of lines of C++ deployed today.
“Replacing them – or simply making them safe (for a variety of definitions of ‘safe’) – is a massive task. It is essential to do that gradually, or the vast mass of unsafe C and old-style C++ code will remain ‘forever.’ Evolutionary approaches often succeeds where revolutions fail at great cost.”