Application developers can reduce the odds of their code including memory vulnerabilities by changing to a modern language, says the U.S. National Security Agency (NSA).
In an advisory, the agency urges developers to think about dropping C and C++ and shifting to languages such as C#, Go, Java, Ruby, Rust, and Swift.
In these languages, memory is managed automatically, the NSA says. They do not rely on the programmer adding code to implement memory protection.
“Memory issues in software comprise a large portion of the exploitable vulnerabilities in
existence,” the agency notes. For example, it says, a Microsoft study found that, from 2006 to 2018, 70 percent of their vulnerabilities were due to memory safety issues. Google also
found a similar percentage of memory safety vulnerabilities over several years in its
Chrome browser.
Commonly used languages, such as C and C++, provide a lot of freedom and flexibility
in memory management, the advisory admits. But they also rely heavily on the programmer to perform the needed checks on memory references. “Simple mistakes can lead to exploitable memory-based vulnerabilities,” it says. And while software analysis tools can detect many instances of memory management issues, and operating environment options can also provide some protection, the inherent protections offered by memory-safe software languages can prevent or mitigate most memory management issues.
“Memory-safe languages provide differing degrees of memory usage protections,” the advisory cautions, “so available code hardening defenses, such as compiler options, tool analysis, and operating system configurations, should be used for their protections as well.” But, it adds, “by using memory-safe languages and available code hardening defenses, many memory vulnerabilities can be prevented, mitigated, or made very difficult for cyber actors to exploit.”
The advisory lists several common memory issues. One is called a “buffer overflow,” where data is accessed outside the bounds of an array. Other common issues relate to memory allocation. Languages can allocate new memory locations as a program is executing and then deallocate the memory, also called releasing or freeing the memory, later when the
memory is no longer needed. But if this is not done carefully by the developer, new
memory may be allocated again and again as the program executes. Consequently,
memory is not always freed when it is no longer needed, which could cause the program to eventually run out of available memory.
By exploiting memory issues, malicious actors may be able to enter unusual inputs into
the program, causing memory to be accessed, written, allocated, or deallocated in
unexpected ways. In some cases, the advisory says, a malicious actor can exploit these memory management mistakes to access sensitive information, execute unauthorized code, or cause other negative impacts.
It isn’t trivial to shift a mature software development infrastructure from one computer
language to another, the NSA admits. Skilled programmers need to be trained in a new language and there is an efficiency hit when using a new language. Programmers must endure a learning curve and work their way through any “newbie” mistakes. While another
approach is to hire programmers skilled in a memory-safe language, they too will have
their own learning curve for understanding the existing code base and the domain in
which the software will function.
But it believes the shift is necessary.