The Biden Administration is continuing to lean on software developers to use memory safe languages to harden their applications against cyberattacks.
A technical report this week from the White House Office of the National Cyber Director (ONCD) said moving away from legacy languages like C and C++ and adopting more modern ones, including Rust, C#, Java, and Python, could eliminate a whole class of memory safety vulnerabilities that account for the most common language flaws.
It’s part of a larger push by the federal government shift the responsibility of cybersecurity from those who use the software to those who create it.
“We, as a nation, have the ability – and the responsibility – to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem but that means we need to tackle the hard problem of moving to memory safe programming languages,” National Cyber Director Harry Coker said in a statement.
The report from the ONCD comes two months after the U.S. Cybersecurity and Infrastructure Agency (CISA) rolled out steps developers can take to make the shift to memory safe languages. CISA Director Jen Easterly at the time said that as much as two-thirds of all software vulnerabilities are the result of a lack of memory safe coding.
Easterly stressed that using memory safe languages is a key part of the government’s Secure By Design software development initiative.
Migrating to memory-safe languages falls in line with the push to be more proactive in developing more secure software and protecting users against bad actors who exploit memory safety vulnerabilities, which affect how memory can be accessed, written, and allocated in ways that developers never intended, according to the report’s authors.
They detailed the two primary categories of memory safety vulnerabilities. One is spatial memory issues, where memory access is performed outside of the “correct” bounds established for variables and objects in memory. In the other, “temporal memory safety issues arise when memory is accessed outside of time or state, such as accessing object data after the object is freed or when memory accesses are unexpectedly interleaved,” they wrote.
Anjana Rajan, assistant national cyber director for technology security, said in a statement that some of the highest profile cyberattacks over the past several decades – including the Morris worm in 1988, the Slammer worm in 2003, the Heartbleed vulnerability in 2014, the Trident exploit two years later, and the Blastpass exploit last year – damaged many systems that U.S. citizens rely on every day.
“Underlying all of them is a common root cause: memory safety vulnerabilities,” Rajan said. “For 35 years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way.”
The report’s authors wrote that, since cybersecurity incidents often start with coding, examining the programming languages used for this coding is among the best ways to address threats. Now is the time to adopt memory safe languages, they wrote. There are dozens of such languages that can be used to design and build new products and there already is proof that shifting to a memory safe language can improve cybersecurity, adding that “when large code bases are migrated to a memory safe language, evidence shows that memory safety vulnerabilities are nearly eliminated.”
“For new products, choosing to build in a memory safe programming language is an early architecture decision that can deliver significant security benefits,” they wrote. “Even for existing codebases, where a complete rewrite of code is more challenging, there are still paths toward adopting memory safe programming languages by taking a hybrid approach. For example, software developers can identify the critical functions or libraries based on risk criteria and prioritize efforts to rewrite those first.”
Chris Hughes, chief security advisor at supply chain security startup Endor Labs and Cyber Innovation Fellow at CISA, applauded the government’s efforts to urge the use of memory safe languages, saying that, “it holds the potential to address longstanding vulnerabilities that plague systems despite being well known and understood for decades. Additionally, it advocates for suppliers to make more risk-informed consumption and use of open source components, bringing better open source security and governance into the components included in products and shipped to customers, further mitigating risk from software supply chain attacks.”
That said, Hughes noted that making the shift is challenging for organizations and developers. The White House is asking suppliers to prioritize software quality and security over such competing interests as speed to market, revenue, and competition. It also could for enterprises to significantly refactor existing products and software, which costs money and time and could detract from growth and revenue and delay new features.
“Many organizations may simply lack the development and engineering resources to perform the required refactoring of software, even if they were willing to place this as a priority above other competing requirements they face as a business,” he said.
The ONCD’s report also talks about the need for better metrics to measure the “cybersecurity quality” of software, which would give necessary feedback to both the creators of the software as well as its users.
Cybersecurity has been a priority for the White House since soon after President Biden took office. The Administration in 2021 issued an Executive Order around the issue and last year released its National Cybersecurity Strategy.
CISA and other agencies also have been driving home other ways to ensure software security, including the use of such tools as software bills-of-material (SBOMs).
Recent Articles By Author