BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?


Application Security

US, Allies Warn of Memory Unsafety Risks in Open Source Software

Most critical open source software contains code written in a memory unsafe language, US, Australian, and Canadian government agencies warn.

Government agencies in the US, Australia, and Canada are drawing attention to memory safety issues in open source software (OSS) code, warning that most projects vastly use code written in a memory-unsafe language.

The use of such code introduces memory safety vulnerabilities that expose organizations and users to attacks, CISA, the FBI, Australia’s Cyber Security Center (ACSC), and the Canadian Centre for Cybersecurity (CCCS) note in their joint guidance.

The document, titled Exploring Memory Safety in Critical Open Source Projects (PDF), was published half a year after government agencies in the US, UK, Canada, Australia, and New Zealand released recommendations for software makers to eliminate memory safety bugs.

An analysis of 172 projects from the Open Source Security Foundation (OpenSSF) critical projects list shows that more than half of them contain code written in a memory-unsafe language, and that such code accounts for 55% of the total lines of code (LoC) in these projects.

“The largest projects are disproportionately written in memory-unsafe languages. Of the ten largest projects by total LoC, each has a proportion of memory unsafe LoC above 26%. The median proportion using memory-unsafe languages across the ten projects is 62.5% and four of the ten project proportions exceed 94%,” the authoring agencies say.

The analysis also revealed that even projects fully written in memory-safe languages are not risk free: each of the three such projects analyzed (Ansible, Distribution, and Home Assistant) depend on components written in memory-unsafe languages.  

“Mistakes, which inevitably occur, can result in memory-safety vulnerabilities such as buffer overflows and use after free. Successful exploitation of these types of vulnerabilities can allow adversaries to take control of software, systems, and data,” the guidance reads.

The government agencies also note that the largest OSS projects, which include Chromium, the Linux kernel, gecko-dev, kvm, and linux-yocto-contrib, have over 25 million LoC, “much of which is written in memory-unsafe languages”.

Advertisement. Scroll to continue reading.

In fact, the analysis revealed that, while the Chromium and Gecko web browser frameworks use memory-unsafe languages throughout roughly half of their code, the Linux kernel predominantly uses them.

“We observed that many critical open source projects are partially written in memory-unsafe languages and limited dependency analysis indicates that projects inherit code written in memory-unsafe languages through dependencies,” the guidance reads.

According to the authoring agencies, memory-unsafe and non-executable languages and file types to be taken into consideration include Assembly, C, C++, C/C++ Header, Cython, D, CSV, diff, HTML, INI, JavaScript Object, Notation (JSON), Markdown, reStructuredText, Text, Web Services Description, XHTML, XML, XSD, XSLT, and YAML.

The agencies note that assessing memory safety at scale is very difficult, especially since performing a complete dependency analysis is unlikely, and that performance and resource constraints will lead to the continuous use of memory-unsafe languages, especially in system kernels and drivers, networking, and cryptography.

“It may, however, be an effective security investment to transition these types of projects to memory safe languages, and new projects should also consider using memory safe languages. Recent advancements allow memory safe programming languages, such as Rust, to parallel the performance of memory-unsafe languages,” the agencies note.

Related: US, Allies Publish Guidance on Securing Network Access

Related: US Government Releases Guidance on Securing Election Infrastructure

Related: NSA Publishes Guidance on Mitigating Software Memory Safety Issues

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights