原文译文操作

The C programming language is terrible. I mean, magnificent, too. Much of the world in which we live was built atop C. It is foundational to almost all computer programming, both historically and practically; there’s a reason that the curriculum for Xavier Niel’s revolutionary “42” schools begins with students learning how to rewrite standard C library functions from scratch. But C is no longer suitable for this world which C has built.

I mean “terrible” in the “awe-inspiring dread” sense more than the “bad” sense. C has become a monster. It gives its users far too much artillery with which to shoot their feet off. Copious experience has taught us all, the hard way, that it is very difficult, verging on “basically impossible,” to write extensive amounts of C code that is not riddled with security holes. As I wrote two years ago, in my first Death To C piece:

C 编程语言糟透了。我的意思是,它也很美妙——我们所住的世界,大部分是建立在C的基础上的。不管是在过去还是在现实生活中,C语言是几乎所有电脑编程的基础。正因如此,Xavier Niel 的革命性“42”学校的课程,首先就会让学生学习把C的标准函式库的函式从头编写出来。然而,C已经不再适合C所建造的这个世界了。

说C“糟透了”,不是说它“坏”,而是说它“让人既敬畏又恐惧”。C已经变成了一只魔兽。它等于是给了用户太多炮弹,让人一不小心就把双脚炸掉。大量经验让我们所有人都学到了一个教训:编写大量不是安全漏洞百出的C代码,是一件很困难、几乎是“基本上不可能”的事。两年前,我在第一篇《C语言已死》的文章中就这样写道:

纠正翻译

In principle, as software evolves and grows more mature, security exploits should grow ever more baroque … But this is not the case for software written in C/C++. Buffer overflows and dangling pointers lead to catastrophic security holes, again and again and again, just like yesteryear, just like all the years of yore.

We cannot afford its gargantuan, gaping security blind spots any more. It’s long past time to retire and replace it with another language. The trouble is, most modern languages don’t even try to replace C. […] They’re not good at the thing C does best: getting down to the bare metal and working at mach speed.

原则上,随着软件进化并变得更成熟,安全漏洞理应变得越来越少见……但是用C/C++编写的软件却不是这样的。缓冲区溢出、迷途指针,一而再、再而三地导致毁灭性安全漏洞的出现,就像过去那么多年那样。

我们再也承担不起这些庞大的安全漏洞了。C早就应该淘汰掉,并以另一个语言取代了。问题是,大部分现代语言根本不会去尝试取代C。……它们不擅长C最擅长的事:把多余的省略掉,并以超音速工作。

纠正翻译

If you’re a developer you already know where I’m going, of course: to tout the virtues of Rust, which is, in fact, a viable C/C++ replacement. Two years ago I suggested that people start writing new low-level coding projects in Rust instead of C. The first rule of holes, after all, is to stop digging.

Security tips when programming in C (2017 edition):
1) Stop typing
2) Delete what you've already typed

— ryan huber (@ryanhuber) June 21, 2017

Today I am seriously suggesting that when engineers refactor existing C code, especially parsers and other input handlers, they replace it — slowly, bit by bit — with Rust. Per this excellent Geoffroy Couprie post:

当然,如果你是软件开发者,你早就知道我要说什么了:我就是要赞美 Rust。事实上,Rust就是一个可行的Rust替代品。我早在两年前就已经建议,人们应该开始用Rust而非C来编写新的低层次代码项目了。毕竟,安全漏洞的第一个规则,就是不要再挖下去了。

用C语言编码的安全技巧(2017年版):
1)停止打字
2)把已打下的字全删掉

— ryan huber (@ryanhuber) June 21, 2017

今天,我要郑重建议,工程师在重构现有C代码(尤其是解析器、其他输入处理程序)的时候,应该逐步用Rust取代。Geoffroy Couprie在他的贴文中说得很好:

纠正翻译

We have to do something. We must make our software foundations stronger. That means fixing operating systems, drivers, libraries, command line tools, servers, everything. We might not be able to fix most of it today, or the next year, but maybe 10 years from now the situation will have improved.

Unfortunately, we cannot rewrite everything. […] What I’m advocating for is much simpler: surgically replace weaker parts but keep most of the project intact. […] You can actually take a piece of C code inside an existing project, import the C structures and functions to access them from Rust, rewrite the code in Rust, export the functions and structures from Rust, compile it and link it with the rest of the project.

我们总得做些什么。我们必须加强软件的基础。也就是说,操作系统、驱动程序、库、命令行工具、服务器等一切软件成分都要去修理一下了。虽然我们无法今天或者在接下来一年内把大部分修理工作做完,但是或许,十年后的今天,情况会有所好转。

可惜的是,我们无法把所有软件都重新编写。……我所主张的其实简单多了:就像动手术一样,把较弱的部分换掉,把项目的绝大部分保留下来。……事实上,你可以把现有项目中的一段C代码取出来,导入C语言的结构和函式,以在Rust中备用,在Rust中重新编写代码,从Rust中把结构和函式导出,对其进行编译,最后将其和项目的其余部分连接起来。

纠正翻译

Rust is no a panacea, of course, There are many other valuable approaches to improving software stability and security. (Formal verification, for instance, or the Langsec movement.) But it is a plausible and valuable iterative approach, and we are only going to dig ourselves out of our giant collective security hole iteratively, one shovelful of better code and better tooling at a time. The sooner we start digging, the sooner C will slowly oxidize away.

当然,Rust不是什么灵丹妙药。改善软件的稳定性和安全性,还有许多其他有价值的方法,比如:形式验证、语言理论安全(Language-Theoretic Security,简称 Langsec)。但是,Rust是一个既合理又有价值的做法。只有反复地每次挖出一段代码或工具,对其进行改善,我们才能把自己从我们这个巨大的集体安全漏洞中挖掘出来。我们越早开始挖掘,C就越早缓慢地氧化生锈掉。

纠正翻译