ONCD releases report on the adoption of memory-safe languages
In its latest effort to move the cybersecurity burden from users to software and hardware makers, the White House issued a call-to-action Monday to get rid of one of the most common vulnerabilities by using memory safe programming languages.
The Office of the National Cyber Director’s new technical report is aimed at reducing the number of memory safety vulnerabilities, offering a strategic guide to eliminate the bug as much as possible. The document also asks the research community to come up with better cybersecurity metrics by addressing software measurability.
“We’re doing this because available data on common vulnerabilities and exposures identify it as one of the most pervasive class of bugs for decades. It is clear that the creators of software and of hardware are best positioned to address this problem,” National Cyber Director Harry Coker said during a call with reporters Monday. “Not all programming languages are created equal, and some are inherently more unsafe.”
The announcement is the latest effort by the Biden administration to move responsibility from end-users and small organizations to those that have the resources to reduce cybersecurity risks, as outlined in the national cybersecurity strategy and subsequent implementation plan. Last year, ONCD released a request for information about open-source security, including the adoption of memory safety languages.
Additionally, in December a coalition of U.S. and international security agencies released guidance to switch to memory safe language like Rust where possible.
But a shift of that kind is not an easy task. A senior ONCD official said during a call with reporters that depending on the size of the company, switching existing codebase into a memory-safe programming language can be a multi-decade effort.
Even so, a report by Microsoft highlights the issue, particularly a finding that around 70% of the bugs assigned as a vulnerability is a memory safety issue. Such vulnerabilities have led to some of the most well-known hacks, such as the Heartbleed bug, Anjana Rajan, ONCD’s assistant national cyber director for technology security, said in a statement.
“For 35 years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way,” Rajan said. “This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume — and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and ultimately, the nation.”
Additionally, the report calls on the development of “empirical metrics that measure the cybersecurity quality of software.” Calling it one of the “hardest open research problems,” the report points to open-source software as an “excellent environment” for applying software measurement.
The announcement was also accompanied by statements of support for the report by a slew of industry representatives, academics, and experts.
