Dump C++ and in Rust you should trust, Five Eyes agencies urge
Memory safety vulnerabilities need to be crushed with better code
Business and technical leaders should prepare to focus on memory safety in software development, the US Cybersecurity and Infrastructure Agency (CISA) urged on Wednesday.
The federal agency, part of the US Department of Homeland Security, published a paper entitled "The Case for Memory Safety Roadmaps," arguing that memory safety errors routinely cause significant damage and that organizations need to stamp them out.
Memory safety errors refer to flaws like buffer overflows, uninitialized memory, type confusion, and use-after-free. Attackers who exploit these vulnerabilities can often take over affected systems and steal data or run arbitrary code.
CISA, in conjunction with the National Security Agency (NSA), FBI, and the cyber security authorities of Australia, Canada, the United Kingdom, and New Zealand, said its call for better memory safety follows from its Secure By Design recommendations – endorsed by all of these cyber authorities.
"With this guidance, the authoring agencies urge senior executives at every software manufacturer to reduce customer risk by prioritizing design and development practices that implement MSLs [memory safe languages]," the report argues.
"Additionally, the agencies urge software manufacturers to create and publish memory safe roadmaps that detail how they will eliminate memory safety vulnerabilities in their products."
The point of making a public declaration, CISA says, is for organizations to make clear to customers that they're taking ownership of security concerns.
- Small but mighty, 9Front's 'Humanbiologics' is here for the truly curious
- Rusty revenant Servo returns to render once more
- Microsoft touts Visual Studio Code as a Java juggernaut
- Cinnamon and KDE sync version numbers in desktop sibling rivalry
The call to action from CISA and friends follows more than a year of dunking on C/C++ – programming languages that have proven to be a breeding ground for memory safety bugs – and of public celebration of memory safe languages like Rust. In January, the issue even attracted the attention of Consumer Reports, signaling mainstream awareness of the issue.
Prossimo, a project run by the non-profit Internet Security Research Group (ISRG) – which has been rewriting tools like sudo in Rust – held an event last month where the development of memory safety roadmaps was discussed.
"Making the argument for memory safe software is critical if we're going to make the Internet more secure," said Josh Aas, executive director of ISRG's Prossimo project, told The Register.
"CISA's new case for memory safe roadmaps is important because it's all the right information coming from a voice that can reach audiences that have been tough for others to reach in the past."
At the event, Microsoft's David Weston, VP of operating system security and enterprise, revealed Redmond has committed $10 million to the development of Rust tooling as the software titan standardizes on Rust and other memory safe languages.
Microsoft, CISA observes in its guidance, has acknowledged that about 70 percent of its bugs (CVEs) are memory safety vulnerabilities, with Google confirming a similar figure for its Chromium project and that 67 percent of zero-day vulnerabilities in 2021 were memory safety flaws.
Given that, CISA is advising that organizations move away from C/C++ because, even with safety training (and ongoing efforts to harden C/C++ code), developers still make mistakes.
"While training can reduce the number of vulnerabilities a coder might introduce, given how pervasive memory safety defects are, it is almost inevitable that memory safety vulnerabilities will still occur," CISA argues.
"Even the most experienced developers write bugs that can introduce significant vulnerabilities. Training should be a bridge while an organization implements more robust technical controls, such as memory safe languages."
Bjarne Stroustrup, creator of C++, has defended the language, arguing that ISO-compliant C++ can provide type and memory safety, given appropriate tooling, and that Rust code can be implemented in a way that's unsafe. But that message hasn't done much to tarnish the appeal of Rust and other memory safe languages.
CISA suggests that developers look to C#, Go, Java, Python, Rust, and Swift for memory safe code.
"The most promising path towards eliminating memory safety vulnerabilities is for software manufacturers to find ways to standardize on memory safe programming languages, and to migrate security critical software components to a memory safe programming language for existing codebases," the CISA paper concludes. ®