CISA Urges Abandoning C/C++ to Eliminate Memory Security Vulnerabilities
CISA Urges Abandoning C/C++ to Eliminate Memory Security Vulnerabilities
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
CISA Urges Abandoning C/C++ to Eliminate Memory Security Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has released a document titled “The Case for Memory Safe Roadmaps,” outlining how software developers should transition to Memory Safe Programming Languages (MSL) to eliminate memory security vulnerabilities.
CISA contends that memory safety errors often result in significant losses and must be eradicated. Consequently, it urges businesses and technology leaders to closely monitor memory safety in software development.
Programming languages like C and C++ are cited as prime examples of memory-unsafe languages, potentially leading to insecure code, despite being among the most widely used languages today.
This guidance document is a collaborative effort by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and cybersecurity agencies in Australia, Canada, the United Kingdom, and New Zealand. It aims to encourage senior management of every software company to reduce customer risk by prioritizing the implementation of MSL in design and development practices. Additionally, it advocates for the creation and publication of memory safety roadmaps to inform customers about the memory safety risks they face.
“MSL can eliminate memory security vulnerabilities. Therefore, transitioning to MSL may significantly reduce the need for investments in activities aimed at reducing or minimizing the impact of these vulnerabilities. Moreover, the investment in migrating unsafe codebases to MSL will yield long-term returns in the form of more secure products, offsetting some of the initial costs associated with transitioning to MSL.”
The document points out that around 70% of Microsoft’s Common Vulnerabilities and Exposures (CVEs) from 2006 to 2018 were memory security vulnerabilities. Out of 34 critical/high-risk vulnerabilities in Mozilla, 32 were related to memory security. Approximately 70% of the vulnerabilities found in the Google Chromium project were memory security vulnerabilities, and 67% of zero-day vulnerabilities in 2021 were also related to memory security.
While some organizations have invested heavily in developer training to mitigate the risks associated with memory-unsafe code in C/C++, CISA and similar agencies argue that, “although training can reduce the number of vulnerabilities programmers might introduce, given the prevalence of memory safety defects, the occurrence of memory safety vulnerabilities is almost inevitable.”
In light of this, they recommend organizations abandon C/C++ and instead adopt “memory-safe languages” such as C#, Go, Java, Python, Rust, and Swift.
See the full documentation for details .
