Python vs. C - HEAD TO HEAD

Todd's photoTodd

published a story

4 months ago

I use Python and C daily. I wanted to write an article explaining the reasons why I use these languages to shed some light if you may use one and not the other to put it into perspective for those who have been curious about one of these two languages. I am omitting obvious reasons; for example obviously I use C on C codebases at work because I have to. Ditto for Python... But that's not interesting.

C

C is the language I use to get a deeper understanding of computer science and prepare for interview-style coding challenges. Why? Because C doesn't come with much and it motivates the programmer to write his/her own basic algorithms, macros, and data structures.

As a Security Engineer, I also use C to keep fresh with vulnerabilities. There are a ton more memory-based security vulnerabilities in C code than in Python code. I have to audit and remediate these vulnerabilities at work so I train myself by writing vulnerable programs and then spotting the vulnerabilities and exploiting them.

Finally, I use C when I need control over memory. One good recent example is that I wrote a program which helps the user remember a new password. At work I am required to change my password every X number of days. I've found that the day I change my password is the day I am most likely to forget my new one. As a Security Engineer I absolutely cannot write my password on a piece of paper. So I wrote a program which prompts me for my new password, hides it from the terminal, and then prompts me N number of times for the password so that I have to type it in over and over until I have it memorized. For security purposes, once the user types in the original password, a hash is stored in memory and subsequent entries are hashed and compared.

The "hiding from the terminal" part is very easy in Python. In fact, I wrote the program in Python first using the getpass() API. The problem was that for security reasons, I wanted to clear the password from memory immediately. This cannot be done in Python unfortunately. In fact, I did some research and learned that since Python strings are immutable, there is a copy of my password floating around in memory for every subsequent function call that I make. I didn't like this.

The C version of my program is very similar except that I had to use about 5 more lines of code to set the terminal so that it doesn't display the password. The real benefit of C here is that the line after I prompt and hash the new password, I can call the memset() function and zero out the new password from memory so that it is no longer freely available in memory.

Python

Python is my "get stuff done" language. As a Security Engineer, I have to write many small tools. Some of these tools are actually designed to attack or analyze C programs even. But it doesn't stop there... Getting metrics from JIRA and plotting them in an Excel spreadsheet, manipulating API calls to our IoT devices at work, dealing with strings, working with raw bytes, automating tasks, creating dashboards from work tools, and etc... Python excels at all of this. In fact, although Python does not have "true multithreading," I've found that it is more efficient usage of my time to write a computationally-intensive tool in Python and tweak algorithms and green threads than it is to try and write the same program in C. The minor runtime cost of Python more than pays for most tasks compared to the development costs of C.

Another reason that I use Python is that everybody seems to have a Python API. Nearly every work tool that I use is scriptable via Python, binary files have Python libraries to parse them, web services have Python APIs... Basically almost every API is available in Python which is nice because it allows me to tie 2-5 different services together in one single program to produce results that I would not be able to get from writing a C program any time soon. I can write a Python program in 30 minutes - 2 hours which would take weeks to write in C.

Python is also great for prototyping. Even for programs that I eventually plan to write in C, Python helps answer the question of "Is this program feasible?" because it provides so many libraries and high-level constructs. It also helps me reason about my programs in a higher-level way so that I can focus on my problem domain rather than chasing the ins and outs of handling memory and spending hours in the debugger hunting down segfaults and other undefined behavior.

Finally, Python has fully-featured OOP constructs whereas C does not. So when I need to write a program in which OOP is a better paradigm, I use Python. OOP can be created in C but again, it's a lot more work and can be obtuse at times. OOP is not my paradigm of choice but some programs make more sense with OOP than others.

No Comments Yet

Add a comment