The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with other international organizations including the FBI and Australian and Canadian agencies, has released a comprehensive report on memory safety vulnerabilities in 172 key open-source projects. This research follows up on their earlier advocacy for memory-safe code, emphasizing the critical need to address memory-related errors like buffer overflows and memory corruption through better programming practices.
Memory-safe languages, such as Rust with its borrow checker and others like Go, Java, C#, and Python with garbage collection, automatically manage memory to prevent common vulnerabilities. In contrast, memory-unsafe languages like C, C++, and others require manual memory management, increasing the risk of errors that can be exploited by malicious actors.
The report reveals alarming findings that over half of the analyzed critical open-source projects contain code written in memory-unsafe languages. This includes a significant proportion of lines of code (LoC) across these projects, with even the largest projects showing high percentages of memory-unsafe code. Despite efforts to use memory-safe languages for critical components, dependencies often introduce vulnerabilities inherited from memory-unsafe codebases.
CISA acknowledges the challenges developers face in adopting memory-safe languages due to performance demands and legacy code requirements, particularly in low-level functionalities like networking and cryptography. However, the agency underscores the importance of transitioning to memory-safe languages for new development and critical components. They advocate for rigorous dependency analysis, safe coding practices, and comprehensive testing methodologies to mitigate risks associated with memory vulnerabilities and ensure software security and integrity.
