The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week published guidance urging software developers to adopt memory-safe programming languages.
"The importance of memory safety cannot be overstated," the inter-agency report [PDF] says.
Memory safety refers to the extent to which programming languages provide ways to avoid vulnerabilities arising from the mishandling of computer memory. Languages like Rust, Go, C#, Java, Swift, Python, and JavaScript support automated memory management (garbage collection) or implement compile-time checks on memory ownership to prevent memory-based errors.
C and C++, two of the most widely used programming languages, are not memory-safe by default. And while developers can make them safer through diligent adherence to best practices and the application of static analysis tools, not everyone deploys code with that much care.
To further complicate matters, code written in nominally safe languages may still import unsafe C/C++ libraries using a Foreign Function Interface, potentially breaking memory safety guarantees.
[...] Google and Microsoft have attributed the majority of vulnerabilities in large software projects to memory safety errors. In Google's Android operating system, for example, 90 percent of high-severity vulnerabilities in 2018 came via memory safety bugs. In 2021, the Chocolate Factory noted that more than 70 percent of serious security issues in Chromium came from memory safety flaws.
The infamous Heartbleed flaw in the OpenSSL cryptographic library was the result of a memory safety error (an out-of-bounds read) in C code. And there are many other examples, including the mid-June Google Cloud outage, which Google's incident report attributes to a lack of proper error handling for a null pointer.
Within a few years, the tech industry began answering the call for memory-safe languages. In 2022, Microsoft executives began calling for new applications to be written in memory-safe languages like Rust. By 2023, Consumer Reports – a mainstream product review publication – published a report on memory safety and government officials like Jen Easterly, CISA's director at the time, cited the need to transition to memory-safe languages during public appearances.
The memory safety push created some turmoil in the Linux kernel community over the past year, as efforts to integrate Rust-based drivers met resistance from kernel maintainers. And it has alarmed the C/C++ communities, where developers have been busily trying to come up with ways to match the memory safety promises of Rust through projects like TrapC, FilC, Mini-C, and Safe C++.
The CISA/NSA report revisits the rationale for greater memory safety and the government's calls to adopt memory-safe languages (MSLs) while also acknowledging the reality that not every agency can change horses mid-stream.
[...] A recent effort along these lines, dubbed Omniglot, has been proposed by researchers at Princeton, UC Berkeley, and UC San Diego. It provides a safe way for unsafe libraries to communicate with Rust code through a Foreign Function Interface.
This is exactly the sort of project that CISA and the NSA would like to see from the private sector, particularly given pending budget cuts that could depopulate CISA by a third.
While the path toward greater memory safety is complicated by the need to maintain legacy systems and the fact that MSLs may not be the best option for every scenario, the government's message is clear.
"Memory vulnerabilities pose serious risks to national security and critical infrastructure," the report concludes. "MSLs offer the most comprehensive mitigation against this pervasive and dangerous class of vulnerability."
(Score: 3, Funny) by c0lo on Tuesday July 01, @04:41AM
I mean, if your program and your data are the same, you can't mishandle them.
'sides, LISP programmers and blackhat hackers should give a zero overlapping on a Venn diagram, I doubt the today's youngsters has the attention span to decode CADR((((...)))) expressions
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Funny) by corey on Tuesday July 01, @05:13AM
In the same voice as the bikie at the start of Terminator 2: “You fergut ta say Ada.”
(Score: 4, Insightful) by bzipitidoo on Tuesday July 01, @05:14AM (3 children)
You want good code? Then don't hire bad programmers. Don't push your programmers, good or bad, to code as fast as possible. Don't use the "lines of code" metric to measure programmer performance. The stuff that is produced when the team is deathmarching in great haste will be horrible.
Now, who manages programming badly and tries to make up for the bad planning by pushing the programmers to the breaking point? Could it be, oh, commercial vendors such as MS?
(Score: 3, Insightful) by jb on Tuesday July 01, @08:16AM (1 child)
Couldn't agree more. As the old saying goes, If you pay peanuts you get monkeys. Those who take the art and science of software engineering seriously don't need "memory safety".
Why ever not? Just remember to set the sign bit when doing so. The number of lines of code a maintenance programmer removes from the code base (with zero loss of reliability, security or required functionality) is a fairly accurate metric for his real world performance. Green fields projects are a different kettle of fish (perhaps requirements met over LOC added times a language-specific constant might be a better proxy there), but those are much rarer today than they used to be.
(Score: 2) by pkrasimirov on Tuesday July 01, @10:01AM
Include in this count the everlasting config creep, endless xml/json/yaml/ini, make them auto-generated for bonus horror points. Oh wait, let's not even look at auto-generated code. The only time I ever saw a Java interface file of 300000 bytes was an auto-generated abomination of an interface with an inner class with boiler-plate methods. Ooh the horror! All that in what was called Application Server bloatware.
Delete.
(Score: 2) by JoeMerchant on Tuesday July 01, @01:59PM
Nah, it's all about the training wheels.
Put 'em in Rust and enforce them to not use those proven unsafe vulnerability prone design patterns.
(of course, once Rust has 30 years of development history, it will accrue a new stable of vulnerability prone design patterns so large and complex that a return to C++ where the vulnerabilities were more easily identified may be hailed as the only hope...)
Meanwhile "data driven" "procedural enforcement" of stepping over the known potholes is the way that clueless leadership feels like they are in control.
It reminds me of tales of "certified secure" military projects where the toolset was restricted to a small set of "certified" tools, use of anything else ist strengstens verboten. So, the developers spend 10x the effort re-inventing wheels inside their clean room, taking that effort away from the real things the project said it was supposed to be investigating. Now, the real desired results can vary from: budget inflation, providing metrics about how expensive it is to do secure research and development, project torpedoing: showing that after $20M or R&D effort we made zero progress toward the goal, so the $200M main budget can be looted for another project, etc. etc.
🌻🌻🌻 [google.com]
(Score: 2) by PiMuNu on Tuesday July 01, @05:31AM (1 child)
IIRC it's more memory safe than C, but can still make memory errors?
(Score: 2, Informative) by shrewdsheep on Tuesday July 01, @07:26AM
There is unsafe code in Rust, which must be explicitly declared (hardware access, low-level optimizations, interactions with foreign code). For the rest, memory lifetime and accessibility is strictly guaranteed. To nitpick, it doesn't prevent bit-flips, so technically, yes, Rust is not memory safe.
(Score: 0) by Anonymous Coward on Tuesday July 01, @08:02AM (7 children)
This will not be fixed by Rust et cetra. This was (likely) not a memory-corruption bug, and likely the result of Go language code -- memory safe code.
Even Javascript, a perfectly memory-safe language, has null pointers. Any time you set a variable = null and try and treat it as an object, you've committed a null-pointer deference exception -- and you get an exception for it. Same as go.
I wish people who don't know what they're talking about wouldn't be part of the discussion. Sigh.. so many times, people who don't know learn-as-they-go, causing damage all the way.
(Score: 0) by Anonymous Coward on Tuesday July 01, @08:05AM (2 children)
It's the first call for null-free languages!
All Herald BASIC!
(Score: 2) by theluggage on Tuesday July 01, @08:21AM
But POKE is probably not memory safe… :-)
(Score: 0) by Anonymous Coward on Tuesday July 01, @11:55AM
You joke, but in my IT travels (though, more properly, that should be travails) over the decades I've come across two unrelated organisations where all their bespoke 'critical' system code was written in BASIC, code which had migrated from mainframes, through minis to the eventual desktop PCs, where I had the dubious pleasure of finally meeting with it in all it's antique (but still serviceable) glory.
Then there was that place 26 years ago with the bespoke inventory system written in some database software's BASIC dialect running on a Sun server - funny story, the system was mostly Y2K compliant...mostly, that is, apart from the copy protection/licensing code that the muppet (friend of one of the PHBs) they'd contracted (no paperwork) to write (no source code, as there was no real contract) the damn thing had introduced on the fly into the thing (and, once I finally tracked him down, for which he wanted £16,000 to fix the problem, he was told, to quote The Big Yin, 'Gettifuyabassa').
There's probably a lot of 'legacy' BASIC code still lurking out there quietly doing it's thing, and I don't want to even begin to think about the amount of 'Visual' stuff...
(Score: 2) by RamiK on Tuesday July 01, @08:44AM
Rust's compiler forbids the use of uninitialized variable bindings: https://doc.rust-lang.org/std/ptr/index.html [rust-lang.org]
e.g. Even null function pointers are initialized as zero: https://doc.rust-lang.org/std/ptr/fn.null.html [rust-lang.org]
compiling...
(Score: 2) by janrinok on Tuesday July 01, @09:02AM (2 children)
If it was Go, then I am willing to bet that it was a programmer who didn't handle an error code. Almost 'everything' returns an error code, which should be checked, and is usually a value to show that no error occurred. My IDE flags up any errors that are not tested and handled. But if you intentionally write software that does handle the error then that is on the programmer, not the language.
[nostyle RIP 06 May 2025]
(Score: 2) by janrinok on Tuesday July 01, @09:03AM
*does not handle
[nostyle RIP 06 May 2025]
(Score: 2) by pkrasimirov on Tuesday July 01, @12:12PM
And it could be made much simpler with exceptions, their whole existence is exactly to avoid the need to check every op error code.
(Score: 0) by Anonymous Coward on Tuesday July 01, @12:16PM
Automatic memory management is not the saving grace for "safe" memory. Hire better programmers. Stop using garbage like Agile. No more cowboy coding.
(Score: 2) by Username on Tuesday July 01, @01:21PM
If the nsa wants it, it probably compiles some kind of backdoor into your programs.