Hacker News new | past | comments | ask | show | jobs | submit login

What do you think of C++ and timing attacks? What do you think of the surface area of the C++ runtime itself? How do you find auditors for C++ code, when the standard is so big no one person could possibly understand it all?

These are genuine questions, it would be great to hear your answers about these things :)




> What do you think of C++ and timing attacks?

Same underlying machine model => same mitigation techniques apply as in C.

> surface area of the C++ runtime itself

No RTTI and no exceptions => no runtime. (By "runtime" I mean code necessary to support language features, not the C++ standard library. E.g., without RTTI and exceptions C++ is as suitable for building an OS as C is.)

Still, RTTI and exceptions are table-driven and I'd worry about their integrity if somebody manages to change the RTII and exception tables embedded in the executable. Largely prevented by signing executables. (Oh, the irony :-))

> How do you find auditors for C++ code [..cut]

More than half of the standard text is dedicated to standard library. I've heard it been said (I've not checked myself) that the description of the core language is only slightly longer than that of Java or C#.

But standard size is not that relevant. Reasonable C++ code is easy to write (for an experienced developer), easy to understand, and auditors can always "fail" the code if they don't know what's going on.

Auditing is expensive, so you have a lot of incentives to write reasonable code from the start.


> I've heard it been said (I've not checked myself) that the description of the core language is only slightly longer than that of Java or C#.

Here is a comment which links to a talk in which Herb Sutter says it:

https://news.ycombinator.com/item?id=7094239




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: