Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Safer Languages
[SAMATE Home | IntrO TO SAMATE | SARD | SATE | Bugs Framework | Publications | Tool Survey | Resources]
Safety or quality cannot be "tested into" programs. It must be designed in from the start. Choosing to implement with a safer or more secure language or language subset can entirely avoid whole classes of weaknesses.
Some Instances
DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.
By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.
Please contact us if you think something should be included. If it has all the characteristics of a safer language, we will be happy to add it. You can contact us at samate(at)nist(dot)gov.
- SPARK is a well-defined language for high integrity applications in which many errors are impossible and which has decades of proven results. Available from AdaCore (7 Jan 2013)
- Escher C Verifier language is a subset of C and C++ based on MISRA-C, with a stronger type system and preconditions. A theorem prover, eCv, can verify such programs. Escher Technologies also has thePerfect specification language, which works with SPARK Ada, too. (9 Apr 2013)
- Fail-Safe C disallows any unsafe memory operation in "full ANSI C standard (including casts and unions)" and even supports many "dirty tricks" common in non-conforming programs. (June 2009)
- Safe-Secure C/C++ (SSCC) "is a software component that can be integrated into compilers and software analysis tools to detect and prevent buffer overflows and other common security vulnerabilities in C and C++ programs".
- CERT's Coding Standards is a broad-based effort which, if followed, prevents many frequent vulnerabilities. The language-independent practices are supplemented by some particular to C, some particular to Java, and some particular to C++.
- CCured adds a minimal number of run-time checks (in C) to C programs "to prevent all memory safety violations. The resulting program is memory safe, meaning that it will stop rather than overrun a buffer or scribble over memory that it shouldn't touch." (13 Feb 2017)
- Rust has an ownership model that guarantees both memory safety and thread safety, at compile-time, without requiring a garbage collector. This allows users to write high-performance code while eliminating many bug classes. Though Rust does have an unsafe mode, its use is explicit, and only a narrow scope of actions is allowed. (14 Mar 2023)
ISO/IEC/JTC 1/SC 22/WG 23 is working on technical report (TR) 24772 Guidance to avoiding vulnerabilities in programming languages. It has specific suggestions on how to avoid vulnerabilities that arise from "constructs that incompletely specified, exhibit undefined behaviour, are implementation-dependent, or are difficult to use correctly." It can also be used to "select source code evaluation tools that can discover and eliminate some constructs that could lead to vulnerabilities". The latest version is found in the ISO/IEC/JTC 1/SC 22/WG 23 DOCUMENT REGISTER. (21 February 2017)