According to Consumer Reports’ research, developers across government and industry should use memory-safe languages for new products and tools and identify the most important libraries and packages for moving to memory-safe languages.
The US non-profit organization, known for testing consumer products, asked what steps it would take to help the transition to “memory-safe” languages like Rust over options like C and C++. Consumer Reports said it wanted to address “industry-wide threats that cannot be addressed by user behavior or even consumer choice,” and identified “storage security” as such an issue.
The report, The Future of Memory Securitylooks at a number of issues, including the difficulties in establishing memory-safe language adoption in universities, levels of distrust in memory-safe languages, implementation of memory-safe languages in codebases written in other languages, as well as incentives and public accountability.
Over the past two years, more and more projects have begun to gradually adopt Rust for codebases written in C and C++ to make code more memory-safe. Among them are initiatives MetaGoogle’s Android Open Source ProjectC++ is preferred Chromium project (sort of)and Linux kernel.
In 2019, Microsoft announced that Over the past 12 years, 70% of the security bugs it has fixed have been memory security issues. The number was high because Windows was mostly written in C and C++. Since then, the National Security Agency (NSA) has advised developers Make a strategic change from C++ in favor of C#, Java, Ruby, Rust and Swift.
The move toward memory-safe languages—most importantly, only Rust—has even prompted C++ creator Bjarne Stroustrup and his peers. Planning for “C++ Security”.. Developers like C++ for its performance, and it still dominates embedded systems. C++ is still more widely used than Rust, but both are popular languages for systems programming.
The Consumer Reports investigation included several prominent figures in the information security field, as well as the Cybersecurity and Infrastructure Security Agency (CISA), the Internet Security Research Group, Google, the Office of the National Cyber Chief, and others. includes the opinions of representatives.
The report points out that computer science professors have a “golden opportunity here to explain the dangers” and can increase the weight of memory security errors in grading, for example. But he adds that teaching parts of some courses in Rust can add “unnecessary complexity” and that while Rust is more difficult to learn, C seems like a safe bet for future employment for many students.
The report notes that industry can obtain information about companies that hire people who know memory-safe languages and that require C/C++ by inspecting software bill of materials (SBOM).
To dispel programmers’ belief that memory-safe languages are more difficult, one might explain that these languages ”force programmers to think about important concepts that ultimately improve the safety and performance of their code,” the report notes.
The report also addresses how to bring a new language to an existing code base. The Linux kernel project doesn’t rewrite existing kernel code, but it does enable Rust for some drivers first. Chromium is the security team cautiously starts Rust where it makes business sense, as well as creating memory safety features for C++ code in Chrome. The Android Open Source Project is pushing Rust more aggressively. In Android 13, 21% of the new code was written in Rusthowever, C and C++ code still dominates.
Companies should be transparent about the causes of bugs and provide detailed information about security vulnerabilities to help researchers and industry experts determine what percentage of vulnerabilities are related to memory security, the report says.
But it can be difficult to know where to start because vulnerability disclosures generally do not provide enough information to link the cause of the flaw to a specific language.
“For example, Apple’s security bulletins currently do not provide enough detail to separate C/C++-related memory vulnerabilities from logic errors,” he notes.
The report acknowledges the industry’s belief that the social and commercial incentives needed to fully address a problem of this magnitude do not exist.
He also envisions a world where “memory-safe” procurement rules exist. Today notes that you cannot buy routers written in completely memory-safe languages because there are no such products.
“But it might be possible for the government to slowly move the industry forward to say that newly developed specific components should be protected from memory. That might require some kind of central coordination and trust in that system. The government might require memory. A security roadmap as part of the supplies. The map will explain how companies plan to remove dangerous code in their products over time,” he said.
Ideas driving the adoption of memory-safe languages include developers listing memory-safe mitigations used by software, as well as a “nutrition label” approach to show what percentage of code is covered by safe languages, audits, and ambiguities. , sandboxing, least privilege, etc.
It also recommends regulatory and monetary incentives for organizations to migrate legacy code to memory-safe languages.