|
|
Log in / Subscribe / Register

do memory safe languages matter less now?

do memory safe languages matter less now?

Posted Apr 22, 2026 15:52 UTC (Wed) by josh (subscriber, #17465)
In reply to: do memory safe languages matter less now? by bertschingert
Parent article: Firefox: The zero-days are numbered

On the contrary, I think it *strengthens* the argument for memory-safe languages, and other mechanisms that fix whole categories of security issues.

These models, once more widely available, will massively shorten the time from "shipped vulnerable code" to "discovered and exploited vulnerable code". It's going to be important to eliminate entire classes of vulnerabilities, so that we can do ongoing development with more confidence.

to post comments

do memory safe languages matter less now?

Posted Apr 22, 2026 18:46 UTC (Wed) by wtarreau (subscriber, #51152) [Link] (3 responses)

> On the contrary, I think it *strengthens* the argument for memory-safe languages, and other mechanisms that fix whole categories of security issues.

From the few bug reports I had the opportunity to see, the tool is powerful enough to find complex logic bugs. That places all languages on the same ground. And I would even suggest that some simple usual traditional operations that force you to more complex approaches in memory safe languages to satisfy the compiler's imposed constraints might even be more likely to trigger logic bugs than in traditional languages precisely because of the difficult constraints. So... we'll see.

I think that for now these tools are mostly trained on existing code base and that C, PHP, JS and Python are so much common that they might be more efficient there than on newer and less represented languages like Rust or Zig for example. Thus even the initial statistics do not mean much for the long term. This is an area that progresses in big steps.

do memory safe languages matter less now?

Posted Apr 22, 2026 21:44 UTC (Wed) by josh (subscriber, #17465) [Link] (2 responses)

All languages aren't on the same ground for logic bugs, either. For instance, I think ADTs that support matching, with errors for non-exhaustive matching, help eliminate many logic bugs.

I do think these tools will find bugs in code in every language. The question is where it finds *more*, and which ones are exploitable.

do memory safe languages matter less now?

Posted Apr 23, 2026 8:11 UTC (Thu) by NAR (subscriber, #1313) [Link]

Those stack overflows and stuff can enable the attacker to completely take over the program. Logic errors can be also serious (e.g. transfer money from other people's account), but rarely give complete access to the attacker.

do memory safe languages matter less now?

Posted Apr 24, 2026 9:22 UTC (Fri) by taladar (subscriber, #68407) [Link]

Iterators and functional handling of containers with map/filter/fold/... style higher order functions also eliminate a whole lot of bugs in traditional C loops and in fact contrain what can happen there significantly (e.g. map can never change the number of elements, filter can never increase it,...)

do memory safe languages matter less now?

Posted Apr 23, 2026 15:29 UTC (Thu) by jorgegv (subscriber, #60484) [Link]

Point is, these AI scanners are currently very cost-effective: for a few bucks/mo you can run it over all your code base... which makes it easier to just plug the security review _before_ you "ship vulnerable code".

The AI tools are there for the baddies, but also for code writers. They have just upped the baseline for everyone.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds