THE The latest technical report from the Office of the National Cyber Director urged developers to switch to using memory-safe programming languages in an effort to reduce the number of memory security vulnerabilities in software.
“For thirty-five years, memory security vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way,” Anjana Rajan, deputy national cyber director for technology security, said in a statement. The report is intended to help engineers make decisions about the architecture and design of the building blocks of the software they use.
The use of memory-safe programming languages has long been touted as a way to prevent memory safety attacks such as buffer overflows in applications. Techniques such as Data Execution Protection (DEP) and Address-Space Layout Randomization (ASLR) make it more difficult for adversaries to perform memory security attacks. There are safe string handling libraries that developers should use to prevent memory leaks in their code. There are also multiple projects with the goal of rewriting widely used libraries using languages like Rust.
The fact that these attacks are still prevalent highlights the challenge of rewriting the code. Whereas Java and .NET provide memory safety, many enterprise software and mobile apps are already written in memory-safe languages. The hard part is making changes to existing non-Java, non-.NET software systems that are currently not memory safe, especially since they tend to be deeply rooted in the infrastructure. The effort to remove them for a memory-safe alternative would be “non-trivial,” according to Tim Wade, deputy chief technology officer at Vectra AI. One option might be to prioritize purchasing software written in a memory-safe language in the future, rather than trying to replace existing systems.
“We’re doing this because available data on vulnerabilities and common exposures identifies this as one of the most pervasive classes of bugs in decades. It’s clear that software and hardware creators are best positioned to address this problem,” National Cyber Has director Harry Coker said in a phone call with reporters. “Not all programming languages are created equal, and some are inherently more dangerous.”