Why C Remains the Gold Standard for Cryptographic Software

11 points by tsg

It’s also worth noting a couple of things about memory safety:

First, cryptography code tends to (intentionally) have very simple data structures and lifetimes. You have a key, some plaintext, some cyphertext, and a context structure. That’s basically it for almost all crypto code. That’s much easier to get right for a lot of arbitrary C code.

Second, there are things like the bounded C model checker that are good at checking this kind of code, so you can write guaranteed memory-safe C code with these structures.

But none of that applies to the protocol bits of something like TLS and there are far fewer good reasons for choosing C there.

Halkcyon

That’s much easier to get right for a lot of arbitrary C code.

OpenSSL enters the room.
- orib
  
  OpenSSL is an experiment in pushing the boundary of how much you can get wrong without driving people away.
grahamc

ai slop
yossarian

WolfSSL's own vulnerability page paints a very different picture1 than this article: many, if not the majority, of the disclosed vulnerabilities appear to be caused by memory corruption.

(As David Chisnall points out, there's an important distinction between algebraic cryptographic code and protocol-level cryptographic code. The former is fine to write in C and assembly, the latter is where almost all of the memory (and type-state) bugs are and would seemingly benefit dramatically from languages that are both memory safe and stronger-typed than C. The latter is also, I suspect, a much larger proportion of most cryptographic libraries' actual source code.)

Edit: from a quick look, 11/20 of the most recent advisories on their site concern memory unsafety.
WilhelmVonWeiner

In any programming discipline where C is the gold standard, we should be working to make the gold standard some other language, one with fewer footguns and less room for error.
boxdot

I am not an expert, but

Among our most interesting findings is that only 27.2% of vulnerabilities in cryptographic libraries are cryptographic issues while 37.2% of vulnerabilities are memory safety issues, [...].

https://arxiv.org/abs/2107.04940
sunshowers

This is just LLM slop.
slondr

This feels very close to an endorsement for Zig. I guess ubiquitous platform support and good formal tooling are what's missing there.
- bwbuhse
  
  I feel like the biggest one there, at least until 1.0, is the number of changes between Zig versions
dubiouslittlecreature

I hate that this sounds like an LLM repeating the same argument ten times in a row.

I’m worried that’s what it might actually be.
carlomonte

what is in rust, including the standard library, and what is in the supply chain? same question for c and for go. zig etc. are probably not mature enough yet.