Image: Midway
The White House Office of the National Cyber Administration (ONCD) today urged technology companies to switch to memory-safe programming languages, such as Rust, to improve software security by reducing the number of memory security vulnerabilities.
Such vulnerabilities are coding errors or weaknesses within software that can lead to memory management problems when memory can be accessed, written, allocated, or freed.
They occur when software accesses memory in an unintended or unsafe manner, leading to various security risks and issues such as buffer overflows, use after deallocation, use of uninitialized memory, and double deallocation that can be exploited by attackers.
Successful exploitation carries serious risks, potentially allowing threat actors to gain unauthorized access to data or execute malicious code with system owner privileges.
“For more than 35 years, this same class of vulnerabilities has plagued the digital ecosystem. The challenge of removing entire classes of software vulnerabilities is an urgent and complex problem. Looking forward, new approaches must be taken to mitigate this risk,” the ONCD report said. .
“The most impactful method of reducing memory security vulnerabilities is to secure one of the building blocks of cyberspace: a programming language. Using memory-safe programming languages can eliminate most memory security flaws.”
Today’s report builds on the National Cybersecurity Strategy signed by President Biden in March 2023, which shifted the burden of defending the nation’s cyberspace to software vendors and service providers.
The National Security Agency (NSA) also released guidance in November 2022 on how software developers can prevent software memory security issues.
A similar report by CISA and international partners followed in December 2023, calling for a transition to memory-safe programming languages to reduce the attack surface of software products by removing memory-related vulnerabilities.
As Microsoft discovered a few years ago, as many as 70 percent of security vulnerabilities identified in software developed using memory-insecure languages stem from memory safety concerns. This remains true even after thorough code reviews and additional preventative and detection measures, as the company further determined.
However, the results of Google’s research show that using a memory-safe language can significantly reduce the number of memory security flaws even in large code bases, and in some cases even eliminate them altogether.
“Thirty-five years of memory security vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be that way,” said Anjana Rajan, assistant national cyber director for technology security.
“This report was written by engineers for engineers because we know they can make decisions about the architecture and design of the building blocks they consume – and that will have a huge impact on our ability to reduce the threat surface, protect the digital ecosystem and ultimately, the nation.”