Government agencies in the US, UK, Canada, Australia, and New Zealand have published guidance for software makers to eliminate memory safety vulnerabilities.
The document, named Case for Memory Safe Roadmaps (PDF), recommends the adoption of memory safe programming languages (MSLs), which will help eliminate well-known and common coding errors that threat actors routinely exploit in malicious attacks.
The guidance also provides software manufacturers with instructions on “creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products”.
Memory safety bugs, the Five Eyes government agencies note, persist despite significant efforts put into reducing their prevalence. Transitioning to an MSL, however, should eliminate this type of security flaws and reduce their impact, allowing both developers and customers to invest resources in other areas.
“Eliminating this vulnerability class should be seen as a business imperative likely requiring participation from many departments. The authoring agencies urge executives to lead from the top by publicly identifying senior staff who will drive publication of their roadmap and assist with realigning resources as needed,” the guidance reads.
Some of the mitigation methods used to reduce memory safety bugs include developer training, code coverage (testing as much code as possible), secure code guidelines, fuzzing, the use of static application security testing (SAST) and dynamic application security testing (DAST) tools, and the use of safer language subsets.
To reduce the impact of this type of vulnerabilities, defenders have marked memory segments as non-executable, adopted Control Flow Integrity (CFI), Address Space Layout Randomization (ASLR), sandboxing, and other mitigation methods, and are considering the use of hardware to support memory protections.
“Despite software manufacturers investing vast resources attempting to mitigate memory safety vulnerabilities, they remain pervasive. Customers must then expend significant resources responding to these vulnerabilities through both onerous patch management programs and incident response activities,” the guidance reads.
The adoption of MSLs should bring benefits to both software makers and their customers, by improving code reliability, reducing the need to patch the reported vulnerabilities and the number of emergency releases, and ultimately reducing the number of urgent updates that customers will need to install, as well as data breaches.
“In addition to bringing benefits to software manufacturers and their customers, MSLs reduce a product’s attack surface. That reduction in attack surface will increase the cost to malicious actors who then need to invest more resources discovering other exploitable vulnerabilities,” the guidance reads.
When developing a memory safety roadmap, software manufacturers should consider how to prioritize transition, the use of appropriate MSLs, and how they will train developers. For each of these aspects, the Five Eyes agencies recommend specific steps to follow.
The guidance also provides an overview of the implementation challenges that software makers will encounter when adopting MSLs, as well as details on the elements that a memory safety roadmap should include.
“The most promising path towards eliminating memory safety vulnerabilities is for software manufacturers to find ways to standardize on memory safe programming languages, and to migrate security critical software components to a memory safe programming language for existing codebases,” the guidance reads.
The guide was authored by the US cybersecurity agency CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), Australia’s Cyber Security Centre, the Canadian Centre for Cyber Security, UK’s National Cyber Security Centre, and New Zealand’s National Cyber Security Centre and Computer Emergency Response Team.