Why a C++ framework is inappropriate
This is an example of why I think a C++ framework is inappropriate for general business applications:
From article: http://story.news.yahoo.com/news?tmp...4&sid=95609558
Business apps don't usually need the horsepower that C++ provides. Instead, it should be done using a managed language such as Java or C#. In places where performance tuning is necessary, C++ is acceptable... (Edit: sorry, replace C++ with Objective-C)
Next question that comes to mind is the reliability of the study, since I think I recognize the company that did the study... Is @stake the company that fired that guy for blasting Microsoft security?
From article: http://story.news.yahoo.com/news?tmp...4&sid=95609558
Quote:
The first advisory, "Long argv[] Buffer Overflow," warns that an attacker could possibly crash Mac OS X and execute commands as root.
The first advisory, "Long argv[] Buffer Overflow," warns that an attacker could possibly crash Mac OS X and execute commands as root.
Business apps don't usually need the horsepower that C++ provides. Instead, it should be done using a managed language such as Java or C#. In places where performance tuning is necessary, C++ is acceptable... (Edit: sorry, replace C++ with Objective-C)
Next question that comes to mind is the reliability of the study, since I think I recognize the company that did the study... Is @stake the company that fired that guy for blasting Microsoft security?
Comments
It's about issuing long command line arguments.
This is an implementation bug, plain and simple and easy to fix.
It's also not relevant to frameworks for business applications, because this is a systems programming issue. The sort of high-level abstraction and transparent resource management that are welcome in applications programming are inefficient bloat in systems programming: The whole point of writing an operating system is precisely to manage resources. You can't write the entirety of C#'s garbage collection routines in C#.
Given that, the bulk of OS X is written in C (not C++), as is Right and Proper(TM) for a UNIX. Buffer over- and under-runs have always been a problem, but the solution is to find them and fix them, not to try building an OS in C# or Java.
On the other hand, in this day and age, anyone who sits down and writes a business application in vanilla C (as opposed to C++ or Objective-C) is completely insane. Different tools for different jobs.
I'd suggest you familiarize yourself with Objective-C and the Cocoa frameworks before you go judging it or comparing it to C++, or straight C, or C#. Not because it's TEH BESTEST LANGWAGE EVAR!!!1!!!, but because it's very much its own thing, and although it can be mingled with C++ and C, it's not used like either one in practice.
My argument is that very few business apps require direct memory management. The inappropriateness of this level of system access is evident in the above example because it put the system security at risk because a textbox is vulnerable to a buffer overrun.
how would you define a business app ?
A business app is a general-purpose application which assists a company in tasks related to their business process. Perhaps the confusion is that you are being more inclusive with your definition than I am. I am thinking solely of applications which store, manipulate, and propogate business related data. These types of applications generally have no specialized requirements that would necessitate subjecting its users to the high-risk occupation of direct memory access. When you bring specialized hardware into the equation, I have no disagreement that C is necessary. But a screensaver really has no need to interact directly with the memory.
Originally posted by Amorph
argv[] is as old as UNIX and C.
This is an implementation bug, plain and simple and easy to fix.
Agreed. But this bug is not possible in Java.
Originally posted by Jukebox Hero
Agreed. But this bug is not possible in Java.
It may well be not possible in Java but for that you pay the performance price of 6 to 15 times slower than C++: Source. Benchmarks are never 100% reliable but it is well known that Java is no speed demon.
Originally posted by Jukebox Hero
Agreed. But this bug is not possible in Java.
Of course it's possible in Java. What language is the runtime written in?
Originally posted by Amorph
Of course it's possible in Java. What language is the runtime written in?
Theoretically, you're right. Practically speaking, though, a buffer overflow is pretty much impossible to exploit in something like the JVM.
Originally posted by WJMoore
It may well be not possible in Java but for that you pay the performance price of 6 to 15 times slower than C++
That statement is not only wrong, it's close to meaningless, and doubly so for the type of apps that are being discussed in this thread.
Like it or not Java is now the standard tool in many areas of software development and its spread is only increasing. This argument raged several years ago, and history has shown that Java won. (Note that it's only serious competitor is C# which basically *is* Java, and the main reason for slow adoption on the desktop is Microsoft's dislike of cross-platform apps.)
Time to move on.