Bjarne Says C++ Is Under Attack

TL;DR

C and C++ memory safety failures are linked to manual memory management errors like out-of-bounds reads/writes and are described as a major source of vulnerabilities in large codebases.

Briefing Cornell Notes

Briefing

Bjarne Stroustrup, the creator of C++, has issued a call for urgent action from the C++ community and standards body after U.S. cybersecurity guidance and other experts pushed memory-safe languages like Rust, Go, and Java toward the center of security policy. The core claim is that C and C++’s manual memory management leaves too many opportunities for memory safety failures—out-of-bounds reads/writes, dangling pointers, and related bugs—that have become a dominant source of vulnerabilities and costly exploitation in large codebases.

The pressure point is policy. A U.S. government report from CISA (issued last October) advises that by January 1, 2026, manufacturers using memory-unsafe languages should produce a memory-safety roadmap that eliminates memory-safety vulnerabilities or switch to a memory-safe programming language. That timeline has intensified skepticism toward C and C++, even as the C++ ecosystem has proposed multiple “safer C++” pathways—such as Safe C++, bounds-checking approaches, and other profiles-based ideas—rather than a wholesale replacement.

Stroustrup’s intervention centers on a “profiles” framework aimed at making memory safety enforceable in C++ without abandoning the language. In a February 7 note to the C++ standards committee (WG21), he frames the moment as more than incremental progress: it’s a need for a public narrative and visible, credible steps that can compete with the industry’s strong momentum toward Rust. The argument also leans on C++’s long-standing goals around type safety and resource safety, positioning memory safety as an extension of C++’s original design aims.

Not everyone is convinced. Critics argue that “opt-in” safety is unlikely to be adopted widely, and that marking code with profiles could break existing language features—effectively forcing developers to rewrite code to keep compiling. There’s also a deeper concern that memory safety cannot be guaranteed consistently across compilation units when developers mix subsets, extensions, and different safety modes.

That skepticism is echoed in related technical pushback. A visiting researcher at the University of Cambridge and a systems architecture director at SECI Semiconductor questions language-level solutions when real systems span multiple languages. Even if Rust or C++ code is “safe,” unsafe boundaries—such as foreign-function interfaces—can reintroduce memory hazards. The same concern applies to interruption and cross-language integration: safety models can fail when other components don’t respect ownership and lifetime rules.

Meanwhile, the transcript highlights alternative approaches that try to make migration less disruptive. One proposal discussed is Trap C, which aims to enforce memory-safe behavior at compile time by transforming pointers into checked “memory safe pointers” and preventing buffer overruns and segmentation faults. Another thread emphasizes that rewriting billions of lines of legacy code is risky and bug-prone, so incremental modernization—through tooling, tests, and gradual adoption—may be more realistic than a revolution.

Overall, the dispute is not simply about which language is “best,” but about feasibility under deadlines, how to enforce safety across large, mixed-language systems, and whether C++ can regain trust with credible mechanisms before policy and industry momentum lock in a different future.

Cornell Notes

Bjarne Stroustrup calls for urgent, visible progress on memory safety in C++ after U.S. guidance and security experts increasingly discourage memory-unsafe languages. The pressure includes a CISA recommendation that manufacturers using unsafe languages have a memory-safety roadmap by January 1, 2026 or adopt memory-safe languages. Stroustrup supports a “profiles” framework intended to enforce memory safety in C++ without abandoning the language, aiming to provide a narrative and mechanism that can compete with Rust’s momentum. Critics argue opt-in safety won’t scale, profiles may break language features, and safety guarantees may not hold across mixed compilation units. Others add that real-world systems mix languages, so unsafe boundaries (e.g., FFI) can undermine any single-language safety story.

Why did C++ face renewed scrutiny from government and security experts in recent years?

The transcript ties the push to memory safety shortcomings rooted in manual memory management. Bugs like out-of-bounds reads/writes and other memory errors are described as a majority source of vulnerabilities in large codebases, with high-profile, financially damaging exploitation. As a result, industry and government security experts have discouraged C and C++ while promoting languages with stronger memory-safety guarantees (Rust, Go, C#, Java, Swift, and JavaScript are mentioned).

What is the “profiles” approach associated with Stroustrup, and what problem is it meant to solve?

Stroustrup’s February 7 note to the C++ standards committee frames profiles as a framework for urgent action: a way to make memory safety enforceable in C++ rather than relying only on slow progress or private tooling. The transcript describes profiles as a mechanism where code is marked so that certain unsafe operations are restricted—analogized to compiler flags that escalate warnings into errors, except the restrictions can disable pointers/arrays or require safer replacements. The goal is to provide a credible, standards-backed path to memory safety before policy deadlines.

What objections were raised against opt-in safety and profiles?

Skepticism focuses on adoption and compatibility. The transcript says opt-in safety likely won’t sell, because developers would need to actively choose safety modes. It also claims profiles could cause parts of the language to stop working for marked code, forcing rewrites (for example, replacing C-style loops over arrays with safer C++ constructs like range-based loops over vectors). Another concern is that memory safety may not be consistent across compilation units when different subsets or extensions are used.

How does Trap C differ from profiles, and what enforcement mechanism does it use?

Trap C is presented as a compile-time approach. The transcript attributes to its lead (Robin Row) the claim that when C code is compiled with the Trap C compiler, pointers become “memory safe pointers” (MSPs) that are checked, preventing buffer overruns and segmentation faults. The transcript also raises the question of performance overhead, implying runtime checks may be involved, but the key distinction is compile-time transformation/enforcement rather than developer opt-in subsets.

Why do some researchers doubt that language-level memory safety is enough in practice?

A visiting researcher at the University of Cambridge (David Chisnall) is cited arguing that very few systems are written in a single language. Even if Rust code is memory safe, unsafe holes can be created—such as using Rust’s unsafe keyword or interacting with unsafe C pointers. Cross-language integration (e.g., Rust calling Lua, or Lua calling into Rust) can break assumptions about ownership and lifetimes, making safe interruption and safe boundaries difficult. The transcript emphasizes that foreign-function interfaces (FFI) are a common place where safety guarantees can collapse.

Review Questions

What policy timeline and guidance are cited as driving urgency around memory safety for C and C++?
How do profiles and Trap C each attempt to enforce memory safety, and what adoption or consistency risks are raised for profiles?
Why does cross-language integration (FFI) complicate claims that a single language’s safety model is sufficient?

Key Points

1
C and C++ memory safety failures are linked to manual memory management errors like out-of-bounds reads/writes and are described as a major source of vulnerabilities in large codebases.
2
CISA guidance recommends that by January 1, 2026 manufacturers using memory-unsafe languages either eliminate memory-safety vulnerabilities via a roadmap or adopt memory-safe programming languages.
3
Stroustrup’s profiles framework aims to make memory safety enforceable in C++ through standards-backed mechanisms rather than relying on slow, incremental progress.
4
Critics argue opt-in safety may not scale, profiles could break existing language features, and safety guarantees may not hold consistently across mixed compilation units.
5
David Chisnall’s skepticism centers on mixed-language systems: unsafe boundaries like FFI and Rust’s unsafe escape hatches can reintroduce memory hazards.
6
Trap C is presented as a compile-time enforcement approach that converts pointers into checked memory safe pointers to prevent buffer overruns and segmentation faults.
7
Incremental migration and tooling are portrayed as more realistic than rewriting massive legacy codebases all at once, even when the end goal is stronger safety.

Highlights

Stroustrup frames memory safety as urgent standards work, not just another language feature request, in response to government and security pressure.

Profiles are described as a way to restrict unsafe operations in marked code—yet critics warn that opt-in adoption and compatibility could stall the approach.

Trap C’s pitch is compile-time pointer transformation into checked “memory safe pointers,” aiming to stop buffer overruns and segmentation faults.

A key technical counterpoint is that safety models can fail at language boundaries: FFI and unsafe blocks can undermine otherwise “safe” code. 

Topics

C++ Memory Safety
WG21 Profiles
CISA Guidance
Trap C
FFI and Unsafe Boundaries

Mentioned

Bjarne Stroustrup
Mark Russinovich
Robin Row
David Chisnall
Linus Torvalds
CISA
WG21
FFI
MSP
SG23
DARPA