WASHINGTON – The White House Office of the National Cyber Director (ONCD) released a report calling on the technical community to proactively reduce the attack surface in cyberspace by implementing and using Memory Safe Programming Languages.
Memory safety vulnerabilities are coding errors affecting software’s memory management code in which memory can be accessed, written, allocated, or deallocated in unintended ways and ONCD believes it can prevent entire classes of vulnerabilities from entering the digital ecosystem by adopting memory safe programming languages.
Types of memory-related coding errors mentioned include buffer overflow, use after free, use of uninitialized memory, and double free. Exploiting these vulnerabilities could allow malicious actors to access or corrupt data or run arbitrary malicious code with the same privilege as the system owner. Recommended memory safe programming languages mentioned in the report include C#, Go, Java, Python, Rust, and Swift.
They say that this transition will enable memory safe programming languages to mitigate memory-related vulnerabilities and reduce the products’ attack surface. Software manufacturers should evaluate multiple memory safe programming languages before integrating them into their workflows.
The ONCD has recommended that software manufacturers create roadmaps for the utilization of, and transition to, memory safe programming languages.
In a Press Release the ONCD says that there are a number of technical and non-technical factors for software manufacturers to consider when developing their roadmap. These include picking a memory safe language, staff capabilities and resourcing, and prioritization guidance.
ONCD is also encouraging the research community to address the problem of software measurability to enable the development of better diagnostics that measure cybersecurity quality.
The report is titled “Back to the Building Blocks: A Path Toward Secure and Measurable Software.”
0