Image: Midjourney
The White House Office of the National Cyber Director (ONCD) urged tech companies today to switch to memory-safe programming languages, such as Rust, to improve software security by reducing the number of memory safety vulnerabilities.
Such vulnerabilities are coding errors or weaknesses within software that can lead to memory management issues when memory can be accessed, written, allocated, or deallocated.
They occur when software accesses memory in unintended or unsafe ways, resulting in various security risks and issues like buffer overflow, use after free, use of uninitialized memory, and double free that attackers can exploit.
Successful exploitation carries severe risks, potentially enabling threat actors to gain unauthorized access to data or execute malicious code with the privileges of the system owner.
"For over 35 years, this same class of vulnerability has vexed the digital ecosystem. The challenge of eliminating entire classes of software vulnerabilities is an urgent and complex problem. Looking forward, new approaches must be taken to mitigate this risk," ONCD's report says.
"The highest leverage method to reduce memory safety vulnerabilities is to secure one of the building blocks of cyberspace: the programming language. Using memory safe programming languages can eliminate most memory safety errors."
Today's report builds upon the National Cybersecurity Strategy signed by President Biden in March 2023, which shifted the burden of defending the country's cyberspace towards software vendors and service providers.
The National Security Agency (NSA) also published guidance in November 2022 on how software developers can prevent software memory safety issues.
A similar report from CISA and international partners in December 2023 followed, asking for a transition to memory-safe programming languages to reduce software products' attack surface by eliminating memory-related vulnerabilities.
As Microsoft discovered years ago, as many as 70 percent of security vulnerabilities identified in software developed using memory-unsafe languages stem from memory safety concerns. This remains true even after thorough code reviews and additional preventive and detection measures, as the company further found.
Yet, findings from Google research show that using a memory-safe language can significantly reduce the number of memory safety flaws even in large code bases and, in some cases, eliminate them altogether.
"For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn't have to be this way," said Anjana Rajan, Assistant National Cyber Director for Technology Security.
"This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume – and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and ultimately, the Nation."
Comments
FrankGe - 1 week ago
"switch to memory-safe programming languages, such as Rust"
Or in other words, switch from C/C++ or assembly to any other language. There aren't any other unsafe languages left.
(Sure, if you use C for low-level or performance, Rust is an obvious successor.)
Audaine - 1 week ago
Python just had a memory CVE published 6 days ago with a 7.5 out of 10 severity score. Lua, Perl, PHP, Java, Go, JS(Node and V8-based) Swift, the Java ecosystem(incl. Kotlin and Scala), and .NET have all had memory related CVEs in the last 18 months.
FrankGe - 1 week ago
"... have all had memory related CVEs in the last 18 months."
Interesting observation. But how many of those were actually in the core language runtime/VM implementation? When you include CVEs in runtime libraries implemented in other languages, you're comparing apples to oranges. If that other language is not memory safe, it even underscores the point.
Audaine - 1 week ago
That's a really good point, and you're correct - but the fact that most software is built on C 'at the bottom' seems to be the focus of this.
But retiring the entire stack from kernel to IP isn't likely to happen. Hence, the primary utility for specs intended for the same issue - and much older - are military and automotive. Rust is just getting a lot of push from Google and Microsoft right now.
tverweij - 1 week ago
Ah, that means:
Switch from C / C++ to Rust
Switch from C# to VB
electrolite - 1 week ago
Switch from C# to VB (this is probably a joke, nobody who is familiar with these languages in their right mind would do that.)
What it does mean though is that this is a call to Microsoft to have their .NET runtime switch from being written in C/C++ to Rust. The C# language compiler would happily be running on top as a high level language compiler. So it will almost always boil down to C/C++-> bad, Rust->good. (I am not saying C/C++ is bad, just what is being implied more often as time goes on).
FrankGe - 1 week ago
"Switch from C# to VB"
Only if you have no idea what either C# or VB are.
FrankGe - 1 week ago
"Switch from C# to VB"
Only if you have no idea what either C# or VB are.
tverweij - 1 week ago
LOL
They always have to react :-)
And so bad, that he posted it two times.
skedddggge - 1 week ago
C# builds on the same managed, garbage collected foundation as VB, unless you mark parts of your code as unsafe so you can work with pointers. Doubtful many companies would allow that as a preferred practice as a matter of policy.
electrolite - 1 week ago
Microsoft has the their CLR which by definition allows you to reference managed code in unmanaged code. Having a mixed (managed and unmanaged) codebase is more common than you think.
FrankGe - 1 week ago
Rust is already leaking into the Linux kernel, and not because Linus is a fan either... Yes that's going to be a slow change, but reduction of memory leaks can happen in every layer. And don't forget that kernel code is written by very experienced developers and much more reviewed than what usually happens on the application layer.
girlBoss - 6 days ago
" ... and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and ultimately, the Nation."
Now if that ain't an appeal to emotion.
The qualifier "tremendous" adds very little to the context of the mere ability to do a thing that might or might not be done in all actuality. It's like saying that 'not taking a shower has a tremendous effect on your ability to stay dry'.
Hell, the entire art of intrusion is in exploiting threat surfaces that the victim isn't even aware of.
You install a fancy new lock on your front door and the guy throws a stone through your window. Alright, White House, you sure warned us.