To: Bjarne Stroustrup
From: Stephen Leibowitz
Date: January 21, 1999
I have read your comments about Java security in your FAQ. I think the problems you refer to have to do with the Java virtual machine. It is a sizable software system, and there have been some bugs. Other Internet-related software, such as browsers and e-mail programs, have also had security problems. It has been my impression that when specific Java security problems came to light, corrections were developed. Also, an additional Java security option is becoming available, in the form of signed certificates. I don’t think that we will ever be certain that Java is completely secure. However, I would suggest that for many people, the combination of Java security and a moderate degree of caution, is already “good enough.”
The reason I mention this is because I have been thinking of a variation of the question in your FAQ. The FAQ question was, “Is Java the language you would have designed if you didn’t have to be compatible with C?” Instead, my question is, “What would an Internet version of C++ look like?” This assumes that one can accept the idea of downloadable Internet applets in the face of less than absolute security.
Here are a few thoughts of mine on what an Internet version of C++ would be like:
There would be changes, mostly in the form of restrictions, in order to make it reasonably secure. Even so, the result would be more similar to regular C++ than is Java. While Java has similarities to C++, it also has many differences that are unrelated to its Internet function. An Internet version of C++ would have advantages compared to Java:
Java has the concept of a sandbox environment on the user machine. The downloaded Internet program runs within this highly restricted environment, and (hopefully) cannot access resources outside of the sandbox without user permission. This is a good concept and should be used.
Interestingly, in 1994 you touched upon some of the C/C++ security problem areas when discussing garbage collection. In D&E, you wrote, “Some garbage collection schemes require banning several basic C facilities, such as pointer arithmetic, unchecked arrays, and unchecked function arguments as used by printf().” You also wrote, “Some C++ operations, such as ill-behaved casts, unions of pointers and non-pointers, pointer arithmetic, etc., are seriously detrimental to garbage collectors. These operations are generally infrequent in well-written C++ code, so it is tempting to ban them.”
I think the STL would serve as a substitute for some of the things that cause security problems.
The Limbo language has a feature known as slicing, roughly an extended form of subscripting. The language documentation says that slices can be used to accomplish what would need to be done with pointer arithmetic in C. It might be a worthwhile extension to C++.
I have read that delete can be considered a security problem. The reasoning is that corruption problems could occur if you delete the same piece of memory twice. As I see it, there are two possible solutions. One is that the memory management system could be fortified to reliably check that the memory had not already been deleted. The other possible solution would be to do away with delete (use automatic garbage collection). Of course, this second solution would also deal with memory leaks.
Security is one thing that an Internet language would need. Another is cross-platform capability. The standard libraries would have to cover additional areas, especially a GUI. I don’t have detailed thoughts on this, but I would hope that any additional standard libraries make good use of the language features. I say this because I am familiar with a large C++ library that is a defacto standard, and which I think sets an example of how not to do it.
No doubt there are many other security, portability, and other issues that I have not addressed. But I would be interested in knowing if you think a version of C++ along these general lines would be feasible and useful.