Connect with us

Hi, what are you looking for?


Application Security

Five Eyes Agencies Publish Guidance on Eliminating Memory Safety Bugs

Government agencies in the Five Eyes countries have published new guidance on creating memory safety roadmaps.

Government agencies in the US, UK, Canada, Australia, and New Zealand have published guidance for software makers to eliminate memory safety vulnerabilities.

The document, named Case for Memory Safe Roadmaps (PDF), recommends the adoption of memory safe programming languages (MSLs), which will help eliminate well-known and common coding errors that threat actors routinely exploit in malicious attacks.

The guidance also provides software manufacturers with instructions on “creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products”.

Memory safety bugs, the Five Eyes government agencies note, persist despite significant efforts put into reducing their prevalence. Transitioning to an MSL, however, should eliminate this type of security flaws and reduce their impact, allowing both developers and customers to invest resources in other areas.

“Eliminating this vulnerability class should be seen as a business imperative likely requiring participation from many departments. The authoring agencies urge executives to lead from the top by publicly identifying senior staff who will drive publication of their roadmap and assist with realigning resources as needed,” the guidance reads.

Some of the mitigation methods used to reduce memory safety bugs include developer training, code coverage (testing as much code as possible), secure code guidelines, fuzzing, the use of static application security testing (SAST) and dynamic application security testing (DAST) tools, and the use of safer language subsets.

To reduce the impact of this type of vulnerabilities, defenders have marked memory segments as non-executable, adopted Control Flow Integrity (CFI), Address Space Layout Randomization (ASLR), sandboxing, and other mitigation methods, and are considering the use of hardware to support memory protections.

“Despite software manufacturers investing vast resources attempting to mitigate memory safety vulnerabilities, they remain pervasive. Customers must then expend significant resources responding to these vulnerabilities through both onerous patch management programs and incident response activities,” the guidance reads.

Advertisement. Scroll to continue reading.

The adoption of MSLs should bring benefits to both software makers and their customers, by improving code reliability, reducing the need to patch the reported vulnerabilities and the number of emergency releases, and ultimately reducing the number of urgent updates that customers will need to install, as well as data breaches.

“In addition to bringing benefits to software manufacturers and their customers, MSLs reduce a product’s attack surface. That reduction in attack surface will increase the cost to malicious actors who then need to invest more resources discovering other exploitable vulnerabilities,” the guidance reads.

When developing a memory safety roadmap, software manufacturers should consider how to prioritize transition, the use of appropriate MSLs, and how they will train developers. For each of these aspects, the Five Eyes agencies recommend specific steps to follow.

The guidance also provides an overview of the implementation challenges that software makers will encounter when adopting MSLs, as well as details on the elements that a memory safety roadmap should include.

“The most promising path towards eliminating memory safety vulnerabilities is for software manufacturers to find ways to standardize on memory safe programming languages, and to migrate security critical software components to a memory safe programming language for existing codebases,” the guidance reads.

The guide was authored by the US cybersecurity agency CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), Australia’s Cyber Security Centre, the Canadian Centre for Cyber Security, UK’s National Cyber Security Centre, and New Zealand’s National Cyber Security Centre and Computer Emergency Response Team.

Related: US, UK Cybersecurity Agencies Publish AI Development Guidance

Related: US Government Releases Security Guidance for Open Source Software in OT, ICS

Related: CISA Releases Guidance on Adopting DDoS Mitigations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.