The U.S. Cybersecurity and Infrastructure Security Agency has published research looking into 172 key open-source projects and whether they are susceptible to memory flaws.
The report, cosigned by CISA, the Federal Bureau of Investigation, as well as Australian and Canadian organizations, is a follow-up to the 'Case for Memory Safe Roadmaps' released in December 2023, aimed at raising awareness about the importance of memory-safe code.
Memory-safe languages are programming languages designed to prevent common memory-related errors such as buffer overflows, use-after-free, and other types of memory corruption.
They achieve this by managing memory automatically instead of relying on the programmer to implement safe memory allocation and deallocation mechanisms.
A modern example of a safe language system is Rust's borrow checker, which eliminates data races.
Other languages like Golang, Java, C#, and Python manage memory through garbage collection, automatically reclaiming freed memory to prevent exploitation.
Memory-unsafe languages are those that do not provide built-in memory management mechanisms, burdening the developer with this responsibility and increasing the likelihood of errors.
Examples of such cases are C, C++, Objective-C, Assembly, Cython, and D. Widely used open-source code unsafe.
The report presents research examining 172 broadly deployed open-source projects, finding that over half contain memory-unsafe code.
CISA explains that software developers face multiple challenges that often oblige them to use memory-unsafe languages, such as resource constraints and performance requirements.
That is especially true when implementing low-level functionalities like networking, cryptography, and operating system functions.
The agency also highlights the problem of developers disabling memory-safety features, either by error or on purpose, to meet specific requirements, resulting in risks even when using theoretically safer building blocks.
Ultimately, CISA recommends that software developers write new code in memory-safe languages such as Rust, Java, and GO and transition existing projects, especially critical components, to those languages.
It is recommended to follow safe coding practices, carefully manage and audit dependencies, and perform continuous testing, including static analysis, dynamic analysis, and fuzz testing, to detect and address memory safety issues.
CISA urges software devs to weed out path traversal vulnerabilities.
Chemical facilities warned of possible data theft in CISA CSAT breach.
CISA warns of actively exploited Linux privilege elevation flaw.
CISA warns of hackers exploiting Chrome, EoL D-Link bugs.
Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Jun 2024 19:10:19 +0000