[clug] ASD/ Five Eyes report on "Memory Safe" languages

steve jenkin sjenkin at canb.auug.org.au
Thu Dec 7 21:48:35 UTC 2023 

This is not going to stop C and other off-list tools being used in FOSS projects,
but might prompt efforts to address Known Problems like buffer over-runs and stack smashing.

You’ll note that All Your Favourite Multinationals get a Guernsey,
but half the languages on the list are FOSS.

A significant accomplishment IMHO.

At what point do you think the Fed Govt is going to mandate “memory safe” for new internal projects, then all software?

And when will that be extended, if ever, to systems & software purchased by FedGov?
I don’t know. [ When Microsoft announces they’re converting to ‘C#’? ]

I tried to look up the number of exploits in Winders vs The Rest and struck out. [ links below. Debian is #1 in their CVE catalog ]

This in the light of Britain declaring Russian interference in their 2019 General Election with two Russians being charged.
While ’spearphising’ is a social exploit, it can only install code that stays hidden if the platform has significant vulnerabilities.

	<https://abcnews.go.com/Technology/wireStory/uk-russias-intelligence-service-sustained-attempts-meddle-british-105451402>
	<https://www.bbc.com/news/uk-politics-67647548>

[ I loved the irony of the website using PHP, notorious for being exploited, but these guys will, hopefully, be diligent protecting against exploits ]

	Security Vulnerabilities in CISA KEV Catalog, sorted by EPSS (Exploit Probability Score)
		<https://www.cvedetails.com/cisa-known-exploited-vulnerabilities/kev-1.html>

	Top 50 Products By Total Number Of "Distinct" Vulnerabilities
		<https://www.cvedetails.com/top-50-products.php?year=0>

============

The Case for Memory Safe Roadmaps
	<https://www.cyber.gov.au/about-us/view-all-content/publications/case-memory-safe-roadmaps>

	Memory safety vulnerabilities are the most prevalent type of disclosed software vulnerability

	Modern industry reporting indicates defects first identified over 25 years ago 
	remain common vulnerabilities exploited by malicious actors today to routinely compromise applications and systems.[7] 
	Yet, according to modern industry reporting, these vulnerabilities remain common, 
	and malicious actors routinely exploit them to compromise applications and systems:

	    • About 70 percent of Microsoft common vulnerabilities and exposures (CVEs) are memory safety vulnerabilities (based on 2006-2018 CVEs).[8]
	    • About 70 percent of vulnerabilities identified in Google’s Chromium project are memory safety vulnerabilities.[9]
	    • In an analysis of Mozilla vulnerabilities, 32 of 34 critical/high bugs were memory safety vulnerabilities.[10]
	    • Based on analysis by Google’s Project Zero team, 67 percent of zero-day vulnerabilities in 2021 were memory safety vulnerabilities.[11]

Appendix: Memory Safe Languages

	C#
	Go
	Java
	Python
	Rust
	Swift

Purpose
	This guidance was developed by U.S., Australian, Canadian, UK, and New Zealand
	 cybersecurity authorities to further their respective cybersecurity missions,
	including their responsibilities to develop and issue cybersecurity specifications and mitigations.

============
--
Steve Jenkin, IT Systems and Design 
0412 786 915 (+61 412 786 915)
PO Box 38, Kippax ACT 2615, AUSTRALIA

mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list