0% found this document useful (0 votes)
42 views5 pages

IEEEComputer NCCGroup

Uploaded by

Goku
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
42 views5 pages

IEEEComputer NCCGroup

Uploaded by

Goku
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/347447924

Effective C

Article in Computer · November 2020


DOI: 10.1109/MC.2020.3016369

CITATIONS READS
0 9,148

1 author:

Robert C. Seacord
Woven by Toyota
91 PUBLICATIONS 1,896 CITATIONS

SEE PROFILE

All content following this page was uploaded by Robert C. Seacord on 15 February 2021.

The user has requested enhancement of the downloaded file.


EDITOR PHIL LAPLANTE
SOFTWARE ENGINEERING Penn State, [email protected]

Effective C

COPYRIGHT ISTOCKPHOTO, CREDIT:LVCANDY


Robert C. Seacord, NCC Group

The world runs on code written in C, yet more


can be done to help developers learn to write
professional, secure, and effective C programs.
This article describes why the C programming
of the hardware, making it more sen-
language has succeeded and what’s next for sitive to evolving hardware features,
the language from the perspective of a long- such as vectorized instructions, than
higher-level languages that usually
term C Standards Committee expert. rely on C for their efficiency.
According to the TIOBE index,

C
C has been either the most or sec-
ond-most popular programming
arl Sagan once said, “If you wish to make an ap- language since 2001; it was also TIOBE’s programming
ple pie from scratch, you must first invent the language of the year in 2019. C is a small, simple language
universe.” Dennis Ritchie and Ken Thompson that has remained successful by staying true to its princi-
did not invent the universe at Bell Telephone ples. C doesn’t prevent the programmer from doing what
Laboratories in 1972, but they did create a highly success- needs to be done. C programs should be fast, even if they
ful system programming language that can work with a are not guaranteed to be portable. C strives to provide
wide range of computing hardware and architectures. only one way to perform any operation. More recently, C
After 50 years, the C Language they invented remains as has worked toward making support for safety and secu-
vital and popular as ever. rity demonstrable.
System languages are designed for performance and Many developers no longer formally learn how to pro-
ease of access to the underlying hardware while providing gram in C. When I attended Rensselaer Polytechnic In-
high-level programming features. Although other lan- stitute in the early 1980s, all students learned Fortran,
guages offer newer language features, their compilers and while computer science students, who were thought to be
libraries are often written in C. C is layered directly on top capable of understanding while loops, learned WATFIV-S.
Many universities transitioned to teaching C or C++ as
Digital Object Identifier 10.1109/MC.2020.3016369
entry-level languages, although the dean of the School of
Date of current version: 21 October 2020 Computer Science at Carnegie Mellon University (CMU)

CO M PUTE R 0018-9162/ 20©2020IEEE PUBLISHED BY THE IEEE COMPUTER SOCIET Y NOVEMBER 2020 79
SOFTWARE ENGINEERING

felt C++ was too complex for under- instructional path to writing profes- LANGUAGE APPLICATIONS
graduates to study. The current ad- sional quality code. AND STRENGTHS
vanced placement computer science C is known as a systems programming
exam tests students on their knowl- WHY C? language, so it is not surprising that
edge of Java, which, in turn, became a People commonly ask if they should most operating systems—including
popular first language to teach at the learn a new language and where and Unix; the Microsoft Windows kernel;
university level. More recently, Python when it is appropriate to use that lan- Linux; the macOS kernel; and the iOS,
has become popular as an entry-level guage. This is particularly true for Android, and Windows Phone ker-
language at CMU and other univer- mature languages like C that have lost nels—are largely written in C. Most
sities. Unfortunately, this means it is that “new car smell.” Learning a new embedded system and IoT devices are
now increasingly common to get an language requires significant effort; programmed in C. Many of the Google
undergraduate degree in computer sci- mastering a language can take years open source community’s 2,000-plus
ence or related field without learning of practice. Consequently, it is worth- projects are written in C. Numerous
how to program in C. while to research the advantages and desktop applications are written in C.
C is commonly used in the develop-
ment of embedded systems because of
the efficiency of the generated code,
The need exists for an introduction to C that is the simplicity and availability of the
widely accessible but not so oversimplified that compilers, and the availability of de-
it promulgates the development of incorrect and velopment tools. C is a good choice for
highly constrained environments. For
insecure code.
example, microcontrollers are notori-
ously space constrained, ranging from
Brian Kernighan and Dennis Ritchie disadvantages of a language before megabytes of random-access and read-
published The C Programming Lan- committing to the effort. only memory (ROM) to bytes of ROM
guage4 in 1978. Frequently referred to Fundamental tradeoffs exist in and only registers for mutable state.
as K&R C (after the authors), this was computer science, where improving The engineering of these systems can
the first widely available book on the quality attributes such as security, be extremely cost sensitive, particu-
subject. In 1988, the second edition of performance, usability, safety, and larly in the case of mass-produced con-
the K&R book 5 was published to cover robustness can result in diminishing sumer devices.
the then-new ANSI C standard, partic- other properties. The C language is the Real-time environments that must
ularly with the inclusion of reference natural consequence of the language guarantee their response within spec-
material on the standard library. There designer’s goals to produce a small ified time constraints or deadlines are
have been many C language program- and optimally efficient language. The frequently written in C. Real-time sys-
ming books published since, but none ability to write machine-specific code tems frequently need to ensure that the
that stand out as a proper introduction is one of the strengths of C, but this worst-case execution time in certain
to modern, professional C language also means that programmers are not code paths is below a certain threshold
programming. required to write portable code. Lan- for a system to be correct. The thresholds
Even though the need for C pro- guages such as Java prioritize portabil- are often on the order of hundreds of mi-
grammers who can develop software ity over performance. croseconds. A wide disparity in execu-
for embedded systems, Internet of Most programming languages man- tion times makes budgeting difficult.
Things (IoT) devices, and other ap- ually allocate memory and other re- Developers need to minimize the max-
plications is on the rise, the avail- sources. C and C++ programmers manu- imum runtime, making the use of gar-
ability of C programmers is decreas- ally deallocate unused objects for greater bage-collected languages problematic.
ing. The learning path for new C control. Many programming languages, Support for arbitrary pointer arith-
language developers is twisted and such as Java, C#, D, and Go as well as most metic, manual memory management,
runs through murky waters. The scripting languages, use garbage collec- unchecked memory access, and the
need exists for an introduction to C tion to automatically reclaim memory lack of a built-in string type shift much
that is widely accessible but not so that is no longer in use by the program. of the burden for ensuring the correct-
oversimplified that it promulgates The Boehm–Demers–Weiser conser- ness, safety, and security of C language
the development of incorrect and vative garbage collector can be used as systems to the programmer. To some
insecure code. I published Effective a garbage-collecting replacement for degree, this is a natural outcome of
C: An Introduction to Professional C C malloc or C++ new, although its use is the language’s design goal of not pre-
Programming 16 to provide a direct not common. venting the programmer from doing

80 COMPUTER  W W W.CO M P U T E R .O R G /CO M P U T E R


C
what needs to be done. Some aspects development. The goal of the C Stan- has been successful for a long
of the language, such as pointer dards Committee is not to innovate time, and there is no indica-
arithmetic, may just be a historical but rather to standardize on existing tion that this will change any
artifact that cannot be eliminated. practices. Before new features are time soon. Memory-safe languages
Unchecked memory access is largely incorporated into the language and such as Go and Rust are gaining in
an artifact of the high cost of check- library, there has to be sufficient im- popularity but combined still repre-
ing these accesses in the presence of plementation experience to show that sent less than 2% of the marketplace.
pointer arithmetic. these features are being successfully C has a considerable advantage in
C is frequently disparaged with re- incorporated by C language program- existing code and compiler support
spect to memory-safe languages such mers and that their benefits outweigh for a wide variety of architectures
as Rust, Go, Ada, and D. I served on their costs. and embedded platforms. Significant
the front lines of the C and Ada wars New innovations can come from ways remain in which the C language,
back in the 1980s. I’m glad C won, but I academia and industry. One new pro- library, and ecosystem can be im-
would rather not revisit the conflict as posal for C2x, “Defer Mechanism for proved. There is still work required
we lost many good people. All of these C,” is a collaborative proposal between to more precisely define the behavior
other languages are relatively new and
generally have roughly a 1% market
share. This has disadvantages in the
number of experienced programmers
A major revision to the C Standard, referred to as
available to develop code in these lan- C2x, is currently under development.
guages and the maturity of the ecosys-
tem and tools. There are numerous, several researchers and members of for parallel execution in C. The future
mature, sophisticated tools available the C Standards Committee.2 This evolution of the C language requires
for C language programmers, includ- proposal describes an attempt to maintaining a balance between pre-
ing static and dynamic analyzers; if adopt the defer statement from the serving existing code and adopting
used correctly, they can significantly Go programming language to the C modern language features that can
reduce the number and severity of de- programming language. Peter Sewell benefit C language developers. Effec-
fects found in C language code. and Kayvan Memarian have been tive C 16 helps newcomers to the lan-
It is a general misconception that exploring C semantics and pointer guage write professional-quality code
there is any such thing as a “secure provenance 12 at the University of and circumvent many of the perils of
language.” One language I can speak Cambridge Computer Laborator y. C language programming. This book
about extensively is Java. Along with Intel has developed a set of special modernizes one aspect of the C eco-
my coauthors, I began the develop- arbitrary-width integer types spelled system and helps propel the entire
ment of The CERT Oracle Secure Coding as _ExtInt(N), where N is an integral ecosystem forward.
Standard for Java toward the end of the constant expression representing the
first decade of the 21st century.10 What number of bits to be used to represent REFERENCES
we thought was going to be a small the type.3 Aaron Ballman labored 1. A. Ballman, “Attributes in C,” WG14
pamphlet evolved to the point where tirelessly to introduce attributes to N2335, ISO/IEC, Geneva, Switzer-
it had to be separated into two vol- C2x, which are a mechanism by which land, Mar. 2019. [Online]. Available:
umes.11 In this context, the term secure the developer can attach extra infor- http://www.open-std.org/jtc1/sc22/
is akin to “not well understood.” Al- mation to language entities with a wg14/www/docs/n2335.pdf
though Java does successfully address generalized syntax, instead of intro- 2. A. Ballman et al., “Defer mecha-
memory safety issues, it introduces a ducing new syntactic constructs or nism for C,” WG14 N2542, ISO/IEC,
large attack surface that is suscepti- keywords for each feature.1 This work Geneva, Switzerland, July 19, 2020.
ble to a broad range of security issues, is, in turn, based on implementation [Online]. Available: http://www
including deserialization vulnerabili- experience from the same feature in .open-std.org/jtc1/sc22/wg14/www/
ties.15 All languages appear to be sus- C++, which itself was based on expe- docs/n2542.pdf
ceptible to defects, particularly with rience gained using the Microsoft 3. M. Blower, T. Hoffner, and E. Keane,
respect to input validation, which can __declspec and GNU __attribute__ “Adding fundamental type for N-bit
lead to vulnerabilities. features. This flow of innovative pro- integers,” WG14 N2534, ISO/IEC,
posals from academia and industry Geneva, Switzerland, June 9, 2020.
WHAT’S NEXT FOR C? shows how the C language continues [Online]. Available: http://www
A major revision to the C standard, to evolve and improve in a steady and .open-std.org/jtc1/sc22/wg14/www/
referred to as C2x, is currently under deliberate fashion. docs/n2534.pdf

NOVEMBER 2020 81
SOFTWARE ENGINEERING

4. B. W. Kernighan and D. M. Ritchie, Recommendations for Reliable and .com/globalassets/our-research/us/


The C Programming Language. Engle- Secure Programs,1st ed. Reading, MA: whitepapers/2017/june/ncc_group
wood Cliffs, NJ: Prentice Hall, 1978. Addison-Wesley, 2013. _combating_java_deserialization
5. B. Kernighan and D. M. Ritchie, The 12. K Memarian et al., “Exploring C _vulnerabilities_with_look-ahead
C Programming Language, 2nd ed. semantics and pointer provenance,” _object_input_streams1.pdf
Englewood Cliffs, NJ: Prentice Hall, in Proc. ACM Programming Lan- 16. R. C. Seacord, Effective C: An Introduc-
Mar. 1988. guages (POPL), 2019, pp. 1–32. doi: tion to Professional C Programming.
6. Programming Languages --C, ISO/IEC, 10.1145/3290380. San Francisco: No Starch Press,
9899:1990. 13. D. M. Ritchie, “The development Aug. 2020.
7. Programming Languages—C, 2nd ed., of the C language,” in Proc. 2nd
ISO/IEC, 9899:1999. ACM SIGPLAN Conf. History Pro-
8. Programming Languages—C, 3rd ed., gramming Languages (HOPL-II),
ISO/IEC, 9899:2011. New York, 1993, pp. 201–208. doi:
9. Programming Languages—C, 4th ed., 10.1145/154766.155580. ROBERT C. SEACORD is a tech-
ISO/IEC, 9899:2018. 14. R. C. Seacord, Secure Coding in C and nical director at NCC Group. He is
10. F. Long, D. Mohindra, R. C. Seacord, C++, 2nd ed. Boston: Addison-Wes- on the advisory board for the Linux
D. F. Sutherland, and D. Svoboda, The ley, 2013. Foundation and a technical expert
CERT Oracle Secure Coding Standard 15. R. C. Seacord, “Combating Java for the ISO/IEC JTC1/SC22/WG14
for Java, 1st ed. Reading, MA: Addi- deserialization vulnerabilities with international standardization work-
son-Wesley, 2011. Look-Ahead Object Input Streams ing group for the C programming
11. F. Long, D. Mohindra, R. C. Sea- (LAOIS),” NCC Group, San Francisco, language. Contact him at robert.
cord, D. F. Sutherland, and D. White Paper, June 15, 2017. [Online]. [email protected].
Svoboda, Java Coding Guidelines: 75 Available: https://www.nccgroup

Erratum

I
n the article “Inference Acceleration: Adding Brawn to REFERENCE
the Brains,”1 which appeared in the June 2020 issue of 1. M. Campbell, “Inference acceleration: Adding brawn to
Computer, an incorrect URL was given for reference [1] the brains,” Computer, vol. 53, no. 6, pp. 73–76, 2020. doi:
due to a production error. The correct reference is 10.1109/MC.2020.2984870.
[1] K. Johnson, “OpenAI releases curtailed version of GPT-2
language model,” Venture Beat, Aug. 20, 2019. [On-
line]. Available: https://venturebeat.com/2019/08/20/
openai-releases-curtailed-version-of-gpt-2-langu
age-model/

Digital Object Identifier 10.1109/MC.2020.3026508


Date of current version: 21 October 2020

82 COMPUTER  W W W.CO M P U T E R .O R G /CO M P U T E R

View publication stats

You might also like