The National Security Agency (NSA) published a new guide last week to aid software developers in preventing and mitigating software memory safety issues and connected vulnerabilities.
The document describes scenarios where malicious cyber actors exploit poor memory management issues to steal sensitive information, spread unauthorized code execution and cause other negative impacts.
Further, poor memory management can also lead to technical issues, including incorrect program results, gradual degradation of the program’s performance and program crashes.
According to the NSA guide, both Microsoft and Google have separately stated that software memory safety issues are behind around 70% of their vulnerabilities.
“Memory vulnerabilities and attacks have been pervasive since the 1990s, so in general, this is good advice,” John Bambenek, principal threat hunter at Netenrich, said. “However, with that being said, as this is coming from the NSA, I believe this advice should take added urgency and is being driven by knowledge they have, and we don’t.”
In particular, the new NSA guidelines recommend that organizations use memory-safe languages when possible and improve protection via code-hardening techniques such as compiler options, tool options and operating system (OS) configurations.
“Shifting development languages can be a daunting challenge,” Mike Parkin, senior technical engineer at Vulcan Cyber, explained. “Though in many cases the programming languages the NSA is recommending come with other advantages and the pool of skilled programmers is growing.”
At the same time, Parkin added that several variables are in play when trying to port an application from one language to another.
“In the best-case scenario, the shift is relatively simple and can be done efficiently and reasonably quickly,” the executive told Infosecurity.
“In others, the application relies on features that are trivial in the original language but require extensive and expensive development to recreate in the new one.”
The NSA guidelines come days after Lenovo patched three vulnerabilities that could see attackers modify secure boot settings by changing a non-volatile random access memory (NVRAM) variable.