Old favourites among software developers like C and C++ can’t guarantee memory safe software and should be replaced, according to ‘Five Eyes’ countries’ cyber security agencies.
As part of their ongoing “secure by design” effort, the agencies have called on software developers to adopt memory-safe programming languages.
Memory safety failures are responsible for the lion’s share of software vulnerabilities, the five-eyes sponsored document explains: 70 percent of common vulnerabilities and exposures (CVEs) in each of Microsoft’s products and Google’s Chromium project, and 32 out of 34 high- or critical-rated CVEs in Mozilla.
Hence the focus on memory safety by the cyber security agencies of America, Canada, Australia, the UK and New Zealand.
The document explains that memory safety vulnerabilities are the most prevalent class of disclosed bug.
Familiar vulnerability types in this class include buffer overruns and use-after-free bugs, and give attackers a vector to “illicitly access data, corrupt data, or run arbitrary malicious code”.
“The pervasiveness of memory unsafe languages means that there is currently significant risk in the most critical computing functions,” the joint paper notes.
The agencies also “strongly encourage software manufacturers to write and publish memory safe roadmaps.”
This, the paper said, signals that software vendors are embracing the secure by design principles of taking ownership of their security outcomes; adopting “radical transparency”; and taking a top-down approach to developing secure products.