Mr Viral
The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week published guidance urging software developers to adopt memory-safe programming languages.
“The importance of memory safety cannot be overstated,” the inter-agency report [PDF] says.
The importance of memory safety cannot be overstated
Memory safety refers to the extent to which programming languages provide ways to avoid vulnerabilities arising from the mishandling of computer memory. Languages like Rust, Go, C#, Java, Swift, Python, and JavaScript support automated memory management (garbage collection) or implement compile-time checks on memory ownership to prevent memory-based errors.
C and C++, two of the most widely used programming languages, are not memory-safe by default. And while developers can make them safer through diligent adherence to best practices and the application of static analysis tools, not everyone deploys code with that much care.
To further complicate matters, code written in nominally safe languages may still import unsafe C/C++ libraries using a Foreign Function Interface, potentially breaking memory safety guarantees.
In the past decade, security researchers have been sounding the alarm about the dangers of memory safety flaws. “Memory unsafety is a scourge plaguing our industry,” said security researcher Alex Gaynor back in 2017.
Google and Microsoft have attributed the majority of vulnerabilities in large software projects to memory safety errors. In Google’s Android operating system, for example, 90 percent of high-severity vulnerabilities in 2018 came via memory safety bugs. In 2021, the Chocolate Factory noted that more than 70 percent of serious security issues in Chromium came from memory safety flaws.
The infamous Heartbleed flaw in the OpenSSL cryptographic library was the result of a memory safety error (an out-of-bounds read) in C code. And there are many other examples, including the mid-June Google Cloud outage, which Google’s incident report attributes to a lack of proper error handling for a null pointer.
Within a few years, the tech industry began answering the call for memory-safe languages. In 2022, Microsoft executives began calling for new applications to be written in memory-safe languages like Rust. By 2023, Consumer Reports – a mainstream product review publication – published a report on memory safety and government officials like Jen Easterly, CISA’s director at the time, cited the need to transition to memory-safe languages during public appearances.
Back in black: Microsoft Blue Screen of Death is going dark
Gridlocked: AI’s power needs could short-circuit US infrastructure
Top AI models – even American ones – parrot Chinese propaganda, report finds
Anthropic: All the major AI models will blackmail us if pushed hard enough
The memory safety push created some turmoil in the Linux kernel community over the past year, as efforts to integrate Rust-based drivers met resistance from kernel maintainers. And it has alarmed the C/C++ communities, where developers have been busily trying to come up with ways to match the memory safety promises of Rust through projects like TrapC, FilC, Mini-C, and Safe C++.
The CISA/NSA report revisits the rationale for greater memory safety and the government’s calls to adopt memory-safe languages (MSLs) while also acknowledging the reality that not every agency can change horses mid-stream.
Several benefits, such as increased reliability, reduced attack surface, and decreased long-term costs, make a strong case for MSL adoption
“A balanced approach acknowledges that MSLs are not a panacea and that transitioning involves significant challenges, particularly for organizations with large existing codebases or mission-critical systems,” the report says. “However, several benefits, such as increased reliability, reduced attack surface, and decreased long-term costs, make a strong case for MSL adoption.”
The report cites how Google by 2024 managed to reduce memory safety vulnerabilities in Android to 24 percent of the total. It goes on to provide an overview of the various benefits of adopting MSLs and discusses adoption challenges. And it urges the tech industry to promote memory safety by, for example, advertising jobs that require MSL expertise.
It also cites various government projects to accelerate the transition to MSLs, such as the Defense Advanced Research Projects Agency (DARPA) Translating All C to Rust (TRACTOR) program, which aspires to develop an automated method to translate C code to Rust.
A recent effort along these lines, dubbed Omniglot, has been proposed by researchers at Princeton, UC Berkeley, and UC San Diego. It provides a safe way for unsafe libraries to communicate with Rust code through a Foreign Function Interface.
This is exactly the sort of project that CISA and the NSA would like to see from the private sector, particularly given pending budget cuts that could depopulate CISA by a third.
While the path toward greater memory safety is complicated by the need to maintain legacy systems and the fact that MSLs may not be the best option for every scenario, the government’s message is clear.
“Memory vulnerabilities pose serious risks to national security and critical infrastructure,” the report concludes. “MSLs offer the most comprehensive mitigation against this pervasive and dangerous class of vulnerability.” ®
