The National Security Agency (NSA) has recommended only using 'memory safe' languages, like C#, Go, Java, Ruby, Rust, and Swift, in order to avoid exploitable memory-based vulnerabilities.
The agency explained that memory issues in software make up a large portion of exploitable vulnerabilities. Due to this concern, the authority has advised developers to consider moving from programming languages with little or no memory protection, like C and C++, to a memory safe language.
Memory-safe languages provide various degrees of memory usage protections, and the agency recommended using code hardening defences, like tool analysis or operating system configurations, as well. By doing this, many memory vulnerabilities can be prevented, mitigated, or made harder for cyber actors to take advantage of.
The US security agency underlined that exploitable software vulnerabilities are still frequently based on memory issues. This includes overflowing a memory buffer or leveraging issues with how software allocates and deallocates memory.
Popular languages, like C or C++, provide a lot of freedom and flexibility when it comes to memory management, said the NSA. Here, the programmer must perform the checks on memory references and if they make a mistake, it can lead to exploitable memory-based vulnerabilities.
“While the use of added protections to non-memory safe languages and the use of memory safe languages do not provide absolute protection against exploitable memory issues, they do provide considerable protection,” stated the NSA. “Therefore, the overarching software community across the private sector, academia, and the US Government have begun initiatives to drive the culture of software development towards utilising memory safe languages.”
The NSA did say software analysis tools are able to detect instances of memory management issues, while operating environment options can provide protection too. However, it underlined the protection offered by memory safe software languages can prevent or mitigate most memory management issues.
Despite the warning, however, transitioning to memory safe languages, for many businesses, is not practical. “There are trillions of lines of code being used today written in C/C++ making it impossible to consider rewriting it all into a memory safe language,” said professor John Goodacre, director of the UKRI’s Digital Security by Design (DSbD) challenge and professor of computer architectures at the University of Manchester.
“Even when new code uses such languages, it's inevitable that it will be relying on code written in an unsafe language through its use of libraries or an operating system. Further, many of the higher-level languages are sandboxes by their runtime making them unsuitable for many classes of applications.”
RELATED RESOURCE
IBM FlashSystem 5000 and 5200 for mid-market enterprises
Manage rapid data growth within limited IT budgets
Goodacre explained that in DBsD, an initiative supported by the British government, a new approach known as CHERI has been applied to both Arm and Risc-V prototype chips. He said this makes the hardware itself memory safe and brings memory safety to existing software and offers resilience and security features for new code.
“The risk from memory unsafe code is significant with around 70% of ongoing reported vulnerabilities rooted in such issues,” said Goodacre. “Moving to CHERI enabled hardware will not only block exploitation of these memory safety vulnerabilities, but it also offers developers new capabilities that reduce the risk that bugs find their way into production, increasing developer productivity.”
-
Alteryx names former Salesforce, Oracle strategist as new global technology alliances leadNews The former Salesforce and Oracle leader will spearhead Alteryx’s partner strategy as the vendor targets deeper ecosystem collaboration
-
Microsoft launches Fara-7B, a new 'agentic' small language model that lives on your PCNews The new Fara-7B model is designed to takeover your mouse and keyboard
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
