LabVIEW

---

@josborne wrote:

Thanks for all the comments!  I think this issue of "memory safety" is still a bit hard to grasp.  But this ONCD report is about cybersecurity not about bugs.  So the ONCD isn't worried if you create buggy code, its worried that hackers can take advantage of "non-memory-safe" code to cause damage.... right?  

---

That's for many purposes the same thing. Buffer overflow exploitation is one such possibility that is enabled by buggy code. While it doesn't need to crash, or at least under normal circumstances won't, such overflows can be exploited by injecting specially crafted data streams that will either overflow in a way that the process will crash (Denial of Service) or even more nefarious, that it places strategic bytes into memory (for instance on the stack) and then causes the program flow to branch into attacker controlled code that can suddenly do anything the current process is allowed to do. There are other such vulnerabilities. In C/C++ these kind of errors are very easy to make, and then can be exploited if you find them. In LabVIEW, aside of bugs contained in LabVIEW itself, it is very hard to make such errors since LabVIEW does not have pointers that can one moment point to an object, the next moment be a function. IMHO if you put languages like C# or Java into the memory safe camp, LabVIEW easily can be put in the same. C# is in principle originally simply a Java clone that Microsoft created in order to not have to license Java from Sun Microsystem. At the same time Microsoft tried to keep it as close to C as possible, but not allow the same unsafe operations, although they initially did compromise quite a bit on that front.

If you really want to play the safe card, you should look at Rust or other such languages which were specifically designed to avoid all these possibilities to do unsafe memory operations. But while LabVIEW wasn't specifically designed for that, it ranks fairly high on that scale too.

Rolf Kalbermatter
My Blog