Developers in government and industry should focus on using memory-safe languages for new products and tools, and identify the most critical libraries and packages to move to memory-safe languages, according to a study by Consumer Reports.
The U.S. nonprofit known for testing consumer products asked what steps it could take to help introduce “memory-safe” languages like Rust, rather than options like C and C++. Consumer Reports said it wanted to address “industry-wide threats that cannot be addressed through user behavior or even consumer choice,” and identified “memory insecurity” as one such issue.
that report, The Future of Memory Safetylooks at a range of issues, including the challenges of building memory-safe language adoption within universities, the level of mistrust in memory-safe languages, introducing memory-safe languages into codebases written in other languages, and incentives and public accountability.
return: Programming languages: Why this old favorite is on the rise again
In the past two years, more and more projects have begun to gradually use Rust for code bases written in C and C++ to make the code more memory safe. These include initiatives from Meta, Google’s Android Open Source Project, the C++-led Chromium project (to some extent), and the Linux kernel.
In 2019, Microsoft revealed that 70% of the security vulnerabilities fixed in the past 12 years were memory safety issues. This number is high because Windows is primarily written in C and C++. Since then, the US National Security Agency (NSA) has advised developers to move from C++ to C#, Java, Ruby, Rust, and Swift.
The move to memory-safe languages—most notably, but not exclusively, Rust—even prompted C++ creator Bjarne Stroustrup and his peers to develop the “Safety in C++” initiative. Developers love the performance of C++, which still dominates embedded systems. C++ is still more widely used than Rust, but both are popular languages for systems programming.
The Consumer Reports study included input from several prominent figures in the information security field, as well as representatives from the Cybersecurity and Infrastructure Security Agency (CISA), the Internet Security Research Group, Google, the Office of the National Cyber Director, and others.
The report highlights that computer science professors have a “golden opportunity to explain the dangers here” by, for example, increasing the weight of memory safety errors when evaluating grades. But it added that teaching parts of certain courses in Rust could add “unnecessary complexity” and that Rust was perceived as more difficult to learn, while C appeared to be a safe choice for future employability for many students.
The report shows that the industry can examine the software bill of materials (SBOM) for data on companies that are hiring people who understand memory-safe languages and those who need C/C++.
To overcome programmers’ belief that memory-safe languages are harder, one could explain that these languages ”force programmers to think about important concepts that ultimately improve code safety and performance,” the report states.
return: “Find something you’re passionate about.” Five ways to build a career path that’s right for you
The report also addresses how to introduce new languages into existing codebases. Rather than rewriting existing kernel code, the Linux kernel project initially enables Rust for certain drivers. The Chromium security team is careful to enable Rust where it makes commercial sense, and to build memory safety features into C++ code in Chrome. The Android Open Source Project is pushing Rust more aggressively. In Android 13, 21% of new code is written in Rust, but C and C++ code still dominates.
The report says companies should be transparent about the reasons for the bugs, providing details about security flaws to help researchers and industry experts determine how many of the bugs are due to memory safety.
But knowing where to start will be difficult, because vulnerability disclosures often don’t provide enough information to tie the cause of a flaw to a specific language.
“For example, Apple’s security advisory currently does not provide enough detail to distinguish between memory vulnerabilities and logic errors raised by C/C++,” it noted.
The report acknowledges that the social and business incentives that the industry believes are needed to fully address a problem of this scale do not exist.
It also envisions a world where “memory safety” procurement regulations do exist. Today, it states that you can’t buy a router written entirely in a memory-safe language, because no such product exists.
“But the government could slowly push the industry forward by saying that newly developed custom components have to be memory safe. That would require some type of central coordination and trust in the system. The government could demand a memory safety roadmap as a procurement part of the .The map will explain how the company plans to eliminate memory-unsafe code in its products over time,” it noted.
Ideas driving the adoption of memory-safe language usage include letting developers list memory safety mitigations used by software, and a “nutrition label” approach to indicate safe languages, auditing, percentage of code covered by fuzzing, sandboxing, least privilege, etc.
It also proposes to provide organizations with regulatory and monetary incentives to convert legacy code to memory-safe languages.