A recent study has shed light on the alarming prevalence of memory-unsafe code in major open source software (OSS) projects, revealing a significant security risk within the software development community. Memory-unsafe programming languages like C and C++ provide developers with more direct control over memory-related functions, but they also give rise to common security vulnerabilities such as buffer overflows and use-after-free errors. In contrast, memory-safe languages like Rust, Python, Java, and Go offer built-in checks to mitigate these memory-related errors.
The US Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and counterparts from Australia and Canada, released a report detailing their investigation into the use of memory-unsafe code in OSS projects. The findings indicate that 52% of the 172 major open source projects analyzed contained code written in memory-unsafe languages, with over half of the total lines of code written in such languages. Even projects written in memory-safe languages were found to be at risk due to dependencies on memory-unsafe components.
The prevalence of memory-unsafe code in OSS projects is not a new issue. Several previous studies have highlighted the risks associated with these languages, prompting calls for a shift towards memory-safe programming. Despite these calls for change, the transition to memory-safe languages remains slow and challenging, primarily due to the substantial costs and efforts required for rewriting existing codebases.
Omkhar Arasaratnam, general manager at OpenSSF, emphasizes that memory safety issues are not confined to open or closed-source software but affect all modern software. While there are memory-safe languages available, developers often opt for older memory-unsafe languages like C/C++ for performance reasons or low-level hardware access. Rust has emerged as a viable alternative to C/C++ for systems programming, but there are still limitations, especially in embedded systems and safety-critical applications.
Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, acknowledges the progress made in using memory-safe languages in major OSS projects but raises questions about the adoption of these languages in new projects on platforms like GitHub. The awareness of memory-safe languages is growing, but the displacement of older languages like C++ by Rust is a slow process.
Overall, the shift towards memory-safe languages presents a complex and challenging task for the software development community. While there are clear benefits in terms of security and reliability, the transition will require concerted efforts and significant time to fully materialize. As the industry continues to grapple with memory safety issues, the need for secure coding practices and diligent use of memory-safe languages remains paramount in ensuring the integrity of software systems.