The recently released technical report from the Office of the National Cyber Director has called on developers to make a crucial shift towards using memory-safe programming languages in order to address the prevalent issue of memory-safety vulnerabilities in software. This move is aimed at reducing the risks associated with memory-safety attacks, such as buffer overflows, which have been a persistent problem in the digital landscape for over three decades.
Anjana Rajan, Assistant National Cyber Director for Technology Security, emphasized the importance of this shift, stating that it is not necessary for memory safety vulnerabilities to continue to plague the digital ecosystem. The report serves as a guide for engineers to make informed decisions about the software building blocks they use, with the goal of improving overall cybersecurity measures.
Memory-safe programming languages have long been recommended as a means to combat memory-safety attacks, offering built-in protections like Data Execution Protection (DEP) and Address-Space Layout Randomization (ASLR) that make it more difficult for malicious actors to exploit vulnerabilities. Additionally, developers are encouraged to utilize safe string-handling libraries to further mitigate the risk of memory issues in their code.
In an effort to address the prevalence of memory-safety vulnerabilities, various projects are underway to rewrite widely used libraries using languages like Rust, which is known for its strong security features. However, the task of rewriting existing code poses significant challenges, especially for non-memory-safe systems that are deeply entrenched in infrastructure. Tim Wade, deputy chief technology officer of Vectra AI, noted that transitioning to memory-safe alternatives for such systems would be a complex and resource-intensive endeavor.
Despite the availability of memory-safe languages like Java and .NET, many enterprise software and mobile applications continue to be written in non-memory-safe languages. This underscores the difficulty of transitioning existing systems to memory-safe alternatives, particularly due to the extensive modifications and disruptions it may entail. As a possible solution, prioritizing the adoption of software written in memory-safe languages for future development projects could prove to be a more feasible approach than attempting to replace existing systems.
National Cyber Director Harry Coker emphasized the urgent need for action, citing data on common vulnerabilities and exposures that highlight memory-safety vulnerabilities as a persistent and widespread issue in software development. Coker stressed that the responsibility to address this problem lies with software and hardware creators, as not all programming languages offer the same level of inherent safety.
In conclusion, the push towards memory-safe programming languages represents a critical step in enhancing cybersecurity measures and addressing longstanding vulnerabilities in software. By encouraging developers to embrace memory-safe practices and technologies, the hope is to create a more secure digital environment for users and organizations alike.