The White House has called on the tech industry to adopt memory safe programming languages, eliminating most memory safety vulnerabilities from hardware and software.
The report by the Office of the National Cyber Director (ONCD) noted that memory safety vulnerabilities are one of the “most pervasive” classes of bugs.
Up to 70% of security vulnerabilities in memory unsafe languages that are patched and assigned a CVE designation are due to memory safety issues, industry analyses has found.
The ONCD said that software and hardware developers are best positioned to implement memory-safe languages, noting that this is a scalable method to substantially improve software security in most situations.
“Programmers writing lines of code do not do so without consequence; the way they do their work is of critical importance to the national interest,” the report outlined.
How to Implement Memory-Safe Programming Languages
Memory safety vulnerabilities affect how memory can be accessed, written, allocated, or deallocated.
They come in two broad categories:
- Spatial: These issues result from memory accesses performed outside of the “correct” bounds established for variables and objects in memory
- Temporal: These vulnerabilities arise when memory is accessed outside of time or state, such as accessing object data after the object is freed or when memory accesses are unexpectedly interleaved
The ONCD highlighted that a number of programming languages that have a high proliferation across critical systems are prone to memory safety issues, including the C and C++ languages.
There are “dozens” of memory safe programming languages that can be used, according to the report.
The report cited the chip and Capability Hardware Enhanced RISC Instructions (CHERI) as viable memory protections when building hardware.
These should be built into software as an architecture decision. Even for existing codebases, “there are still paths toward adopting memory safe programming languages.”
Anjana Rajan, Assistant National Cyber Director for Technology Security, commented: “Some of the most infamous cyber events in history – the Morris worm of 1988, the Slammer worm of 2003, the Heartbleed vulnerability in 2014, the Trident exploit of 2016, the Blastpass exploit of 2023 – were headline-grabbing cyberattacks that caused real-world damage to the systems that society relies on every day.
“Underlying all of them is a common root cause: memory safety vulnerabilities. For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way.”
Engaging Stakeholders to Reduce Vulnerabilities
The ONCD also urged the tech community to develop better metrics to determine the cybersecurity quality of software.
This would help organizations find vulnerabilities before they occur or reduce their impact. Additionally, it would incentivize “ecosystem-wide behavior change,” the White House noted.
The report acknowledged that creating such metrics is difficult due to the complex software ecosystem; however, the research community has a critical role in the science of measuring software.
National Cyber Director Harry Coker said: “I’m also pleased that we are working with and calling on the academic community to help us solve another hard problem: how do we develop better diagnostics to measure cybersecurity quality?”
“Addressing these challenges is imperative to ensuring we can secure our digital ecosystem long-term and protect the security of our Nation.”
The new ONCD paper forms part of the US government’s National Cybersecurity Strategy, published in March 2023.
The strategy aims to shape market forces to drive security and resilience by design and shift the responsibility for cybersecurity towards technology creators.
In the UK, the government backed Digital Security by Design (DSbD) initiative is currently working on securing underlying computer hardware via the CHERI architecture, preventing memory safety and privilege escalation vulnerabilities from occurring.