US lawmakers are pushing for a shift to memory safe programming languages, but will it improve software security?
There’s an easy way to banish a whole category of software security risks, according to a new report
The White House says there is strong evidence that it’s time for software developers to make the switch to memory safe programming languages, because doing so can eradicate a whole range of security risks from their code.
In a new report, the White House Office of the National Cyber Director (ONCD) said developers can prevent entire classes of software vulnerabilities by adopting memory safe programming languages.
While programming languages might be an unexpected subject for the White House to get excited about, the report notes that creators of software and hardware can have an outsized impact on the nation’s shared security.
“Programmers writing lines of code do not do so without consequence; the way they do their work is of critical importance to the national interest,” the report said.
Anjana Rajan, assistant national cyber director for technology security, said some of the most infamous cyber events in history, from the Morris worm of 1988 right up to the Heartbleed vulnerability in 2021 and the Blastpass exploit of 2023, had a common root cause - memory safety vulnerabilities.
“For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way,” Rajan said.
Memory safety vulnerabilities are a class of vulnerability affecting how memory can be accessed, written, allocated in unintended ways. The report said there are some programming languages, such as C and C++, that lack the features associated with memory safety and are widely used in critical systems.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Recommendations to switch to memory safe languages are not entirely new. The NSA said a couple of years ago that developers should make the switch.
Examples of memory safe language include C#, Go, Java, Ruby, Rust, and Swift,” the NSA said at the time.
In a memory safe language, memory is managed automatically and thus does not rely on the programmer adding code to implement memory protections, it explained.
“The language institutes automatic protections using a combination of compile time and runtime checks. These inherent language features protect the programmer from introducing memory management mistakes unintentionally.
The White House report, Back to the building blocks: A path towards secure and measurable software, said the “highest leverage” method to reduce memory safety vulnerabilities is to secure one of the building blocks of cyberspace: the programming language itself.
“Using memory safe programming languages can eliminate most memory safety errors,” the report said.
It added that since many cyber security issues start with a line of code, one of the most effective ways to address those issues is through the choice of programming language used.
“Ensuring that a programming language includes certain properties, such as memory or type safety, means software built upon that foundation automatically inherits the security those features provide,” it said.
The report noted there is “strong evidence that now is the time to make these changes”. It said there are now dozens of memory safe programming languages that can “and should” be used, which means it’s possible to design and build new products in memory safe programming languages from day one.
It further noted that the switch to memory safe programming languages has a demonstrably positive effect on cyber security, as up to 70% of security vulnerabilities in memory unsafe languages patched and assigned a CVE designation are due to memory safety issues.
For new products, choosing to build in a memory safe programming language is an early decision that can deliver significant security benefits, and even for existing codebases, where a complete rewrite of code is more challenging, it’s possible to take a hybrid approach which could involve rewriting critical functions and libraries first.
Memory safe languages aren't a silver bullet for software security
Memory safe languages aren’t without their own security risks of course, but in most cases they can be a good step forward.
“They offer a way to eliminate, not just mitigate, entire bug classes. This is a remarkable opportunity for the technical community to improve the cyber security of the entire digital ecosystem,” the report said.
The report has had some big name backing, too.
Dan Boneh, Professor of Computer Science, Stanford University said software quality would be “greatly improved if we could somehow wave a magic wand and have all existing software translated to a memory-safe language”.
“Unfortunately, such a magic wand does not yet exist,” he added.
Meanwhile, Jeff Moss, president of DEFCON and Black Hat said he endorsed the recommendation to adopt memory safe programming languages across the ecosystem because doing so can “eliminate whole categories of vulnerabilities that we have been putting band-aids on for the past thirty years”.
Beyond programming languages, the report said that more work needs to be done on measuring the cyber security quality of software products, something that experts have grappled with for decades to little result.
However, if there was a better way of measuring the security of software projects many vulnerabilities could be anticipated – and mitigated – before the software was released or went into production.
As well as technology shifts, the report said we need to rethink where responsibility for cyber security lies, shifting the focus from the front-line defenders to the wider range of executives, which also ties into the need for better metrics.
For far too long, primary responsibility for the cybersecurity of an organization has rested with the Chief Information Security Officer (CISO) of the company using software, it said – but it’s also important that the CIO buying the software, and the CTO of the company building the software also feel that they share this responsibility.
“A cyber security quality metric could improve collaborative decision-making across all parties,” the report said.
“With better metrics, CTOs could use a range of rigorous analysis methods – such as code reviews, acceptance tests, and formal methods – to assure that vulnerabilities in a piece of software will be rare. A CIO might base a purchasing decision in large part on how well a software product scores on quality metrics, confident that its adoption would pose less risk to the organization.”
Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.