US Lawmakers Advocate for a Shift to Memory Safe Programming Languages: A Security Revolution?
The quest for enhancing software security could be significantly streamlined, courtesy of a strategic shift towards memory safe programming languages—a viewpoint strongly advocated in a report by the White House’s Office of the National Cyber Director (ONCD).
In this groundbreaking report, the spotlight shines on the potential of memory safe programming languages to obliterate a spectrum of software security risks. It’s an advocacy that might seem unconventional coming from a governmental body, yet underscores the profound impact that software and hardware developers have on national and global security dynamics.
“Programmers writing lines of code do not do so without consequence; the way they do their work is of critical importance to the national interest,” the report emphasizes.
Anjana Rajan, the assistant national cyber director for technology security, highlights a compelling narrative, drawing connections between historical and contemporary cyber incidents. From the 1988 Morris worm to the 2021 Heartbleed vulnerability, and most recently, the 2023 Blastpass exploit—memory safety vulnerabilities have been a consistent antagonist in the digital world. “For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way,” Rajan asserts.
The report delineates memory safety vulnerabilities as mishaps relating to inappropriate access, allocation, or modification of memory. It critiques programming languages such as C and C++, which, despite their prevalence in critical systems, lack inherent memory safety features.
Memory safety has long been on the radar of cybersecurity authorities. Even the NSA had previously recommended a transition to memory safe languages, noting languages such as C#, Go, Java, Ruby, Rust, and Swift as prime examples. These languages automate memory management, thereby buffering programmers from unintended memory management errors through a blend of compile-time and runtime checks.
The ONCD report, titled ‘Back to the building blocks: A path towards secure and measurable software’, proposes securing the programming language layer as the “highest leverage” approach for reducing memory safety vulnerabilities. The inherent properties of memory safe languages not only eradicate most memory safety errors but also lay a secure foundation for programming initiatives.
Highlighting the timing for this strategic shift, the report says, “There is strong evidence that now is the time to make these changes.” It points to the availability of dozens of memory safe programming languages suitable for new product development and the substantial cybersecurity benefits they promise—claiming that up to 70% of security vulnerabilities in memory unsafe languages could be avoided.
For existing codebases, the transition might pose challenges but adopting a hybrid approach—focusing on rewriting critical functions and libraries in memory safe languages—could offer a scalable solution.
Despite the inherent security enhancements, memory safe languages are not a panacea. Yet, their adoption represents a proactive step towards eliminating, rather than merely mitigating, a whole class of vulnerabilities.
The report has garnered support from notable figures in the tech community. Dan Boneh, Professor of Computer Science at Stanford University, and Jeff Moss, president of DEFCON and Black Hat, have both endorsed this paradigm shift for its potential to significantly curb vulnerabilities.
Beyond programming languages, the report advocates for improved cybersecurity metrics and a holistic shift in responsibility across the cybersecurity landscape, underscoring the collective responsibility of CISOs, CIOs, and CTOs in mitigating vulnerabilities.
In essence, the White House report envisions a cybersecurity ecosystem underpinned by memory safe programming languages. This shift, while monumental, promises a future where software security is not an afterthought but a foundational element of digital product development.