More than half of open-source projects contain code written in a memory-unsafe language, a report from the U.S.'s Cybersecurity and Infrastructure Security Agency has found.
Memory-unsafe means the code allows for operations that can corrupt memory, leading to vulnerabilities like buffer overflows, use-after-free and memory leaks.
Out of the total lines of code for these projects, 55% were written in a memory-unsafe language, with the larger projects containing more.
Memory-unsafe lines make up more than a quarter of all of the 10 largest projects in the data set, while the median proportion among them is 62.5%. Four of them are made up of more than 94% memory-unsafe code.
Memory-unsafe languages, like C and C++, require developers to manually implement rigorous memory management practices, including careful allocation and deallocation of memory.
On the other hand, memory-safe languages, like Python, Java, C# and Rust, automatically handle memory management though built-in features and shift the responsibility to the interpreter or compiler.
They also analysed the software dependencies on three projects written in memory-safe languages, and found that each of them depended on other components written in memory-unsafe languages.
Memory-unsafe code is prevalent because it gives developers the ability to directly manipulate hardware and memory.
Developers might use memory-unsafe languages directly because they are unaware of or unbothered by the risks.
Those aware of the risks and who do not wish to incorporate memory-unsafe code might do so unintentionally through a dependency on an external project.
For one, languages often have multiple mechanisms to specify or create dependencies, complicating the identification process.
There is a need for the broader development community to transition to more modern memory safe languages.
Recommendations to reduce risks of memory-unsafe code.
The report refers to CISA's The Case for Memory Safe Roadmaps document and the Technical Advisory Council's report on memory safety for recommendations on how to reduce the prevalence of memory-unsafe languages.
Efforts from officials to reduce prevalence of memory-unsafe code.
In 2023, CISA Director Jen Easterly called on universities to educate students on memory safety and secure coding practices.
The 2023 National Cybersecurity Strategy and its implementation plan were then published, which discussed investing in memory-safe languages and collaborating with the open source community to champion them further.
That December, CISA published The Case for Memory Safe Roadmaps and the Technical Advisory Council's report on memory safety.
In February this year, the White House published a report promoting the use of memory-safe languages and the development of software safety standards, which was backed by major technology companies including SAP and Hewlett Packard Enterprise.
The U.S. government's efforts are being supported by a number of third-party groups that share their aim of reducing the prevalence of memory-unsafe code.
This Cyber News was published on www.techrepublic.com. Publication date: Mon, 01 Jul 2024 22:13:08 +0000