Application Security , Governance & Risk Management , Government
Experts Warn of Risks in Memory-Safe Programming Overhauls
They Say Rewriting Software Could Overwhelm Firms and Introduce New VulnerabilitiesRecent guidance published by the Office of the National Cyber Director recommends software manufacturers universally adopt memory-safe programming languages, but experts told Information Security Media Group that costly overhauls of existing software into memory-safe languages could pose new security risks.
See Also: Alleviating Compliance Pain Points in the Cloud Era
The ONCD report points to dozens of memory-safe programming languages that technology manufacturers can use to design and build new products "from day one" and says that the transition to memory-safe programming languages "has a demonstrably positive effect on cybersecurity" across industries. By migrating high-impact legacy code to memory-safe programming languages, manufacturers "can significantly reduce the prevalence of memory safety vulnerabilities throughout the digital ecosystem," it says.
"For 35 years, memory-safety vulnerabilities have plagued the digital ecosystem," Anjana Rajan, assistant national cyber director for technology security, said in a statement. "It doesn't have to be this way."
Experts told ISMG that building new products with memory-safe programming languages is a critical step toward ensuring the security of software components. Memory-safety vulnerabilities can allow hackers, cybercriminals and foreign adversaries to gain unauthorized access to federal systems, they said. But the experts also warned that the challenge of migrating legacy code and information technology written in non-memory-safe languages could be too unrealistic and risky for most organizations to undertake.
"Strategically focusing on eradicating memory-corruption vulnerabilities is crucial, due to their prevalence," said Chris Wysopal, co-founder and chief technology officer of Veracode. "However, completely rewriting existing software in memory-safe languages is impractical, expensive and could introduce new vulnerabilities."
The report says experts have identified programming languages such as C and C++ in critical systems "that both lack traits associated with memory safety and also have high proliferation."
While most enterprise software and mobile apps are already written in memory-safe languages, developers still prioritize performance over security under some scenarios, according to Jeff Williams, co-founder and chief technology officer of the security firm Contrast Security.
"I'm disappointed that the White House is only focusing on one relatively small class of vulnerabilities and recommending a technique - changing languages - that requires full rewrites of everything, virtually guaranteeing that this is a dead letter," Williams told ISMG.
Rather than focusing on memory-safe programming languages alone, additional measures involving runtime security - memory protection, application sandboxing, and behavioral analysis, among others - could also yield major benefits for digital ecosystems, Williams said.
"I hope they expand their guidance to recommend runtime security and not just changing languages."
The report says manufacturers are currently exploring complementary approaches to implement memory safety through hardware and are testing new memory-tagging extensions to cross-check the validity of pointers to memory locations prior to use. The growing space technology sector increasingly relies on "secure by design" principles and digital automation to minimize the risk of human error, according to the report, which says, "The space ecosystem is not immune to memory safety vulnerabilities."
Chris Hughes, a cyber innovation fellow at the Cybersecurity and Infrastructure Security Agency and chief security adviser for Endor Labs, said the new recommendations "hold the potential to help eliminate systemic vulnerabilities impacting countless systems, applications and software around the world."
But Hughes also said that potential "comes at a cost of labor, time and more, and could detract from other goals such as growth and revenue, as well as delays in new features for existing consumers and customers of products."
ONCD is recommending that software manufacturers publish timely and comprehensive Common Vulnerability and Exposures data, including the Common Weakness Enumeration, to further reduce the security burden currently placed on end users. CISA's open-source software security road map, published in September, also urges manufacturers to use memory-safe programming languages.