[clug] ASD/ Five Eyes report on "Memory Safe" languages
David C
cottrill.david at gmail.com
Thu Dec 7 22:22:13 UTC 2023
There's a much more senior engineer at work who's about to get huge funding
to rewrite a Go tool in C# because it's "better for productivity" in a
theoretically security consious organisation.
The tool in question is Terraform. Genius.
On Fri, 8 Dec 2023, 8:50 am steve jenkin via linux, <linux at lists.samba.org>
wrote:
> This is not going to stop C and other off-list tools being used in FOSS
> projects,
> but might prompt efforts to address Known Problems like buffer over-runs
> and stack smashing.
>
> You’ll note that All Your Favourite Multinationals get a Guernsey,
> but half the languages on the list are FOSS.
>
> A significant accomplishment IMHO.
>
> At what point do you think the Fed Govt is going to mandate “memory safe”
> for new internal projects, then all software?
>
> And when will that be extended, if ever, to systems & software purchased
> by FedGov?
> I don’t know. [ When Microsoft announces they’re converting to ‘C#’? ]
>
> I tried to look up the number of exploits in Winders vs The Rest and
> struck out. [ links below. Debian is #1 in their CVE catalog ]
>
> This in the light of Britain declaring Russian interference in their 2019
> General Election with two Russians being charged.
> While ’spearphising’ is a social exploit, it can only install code that
> stays hidden if the platform has significant vulnerabilities.
>
> <
> https://abcnews.go.com/Technology/wireStory/uk-russias-intelligence-service-sustained-attempts-meddle-british-105451402
> >
> <https://www.bbc.com/news/uk-politics-67647548>
>
> [ I loved the irony of the website using PHP, notorious for being
> exploited, but these guys will, hopefully, be diligent protecting against
> exploits ]
>
> Security Vulnerabilities in CISA KEV Catalog, sorted by EPSS
> (Exploit Probability Score)
> <
> https://www.cvedetails.com/cisa-known-exploited-vulnerabilities/kev-1.html
> >
>
> Top 50 Products By Total Number Of "Distinct" Vulnerabilities
> <https://www.cvedetails.com/top-50-products.php?year=0>
>
> ============
>
> The Case for Memory Safe Roadmaps
> <
> https://www.cyber.gov.au/about-us/view-all-content/publications/case-memory-safe-roadmaps
> >
>
> Memory safety vulnerabilities are the most prevalent type of
> disclosed software vulnerability
>
> Modern industry reporting indicates defects first identified over
> 25 years ago
> remain common vulnerabilities exploited by malicious actors today
> to routinely compromise applications and systems.[7]
> Yet, according to modern industry reporting, these vulnerabilities
> remain common,
> and malicious actors routinely exploit them to compromise
> applications and systems:
>
> • About 70 percent of Microsoft common vulnerabilities and
> exposures (CVEs) are memory safety vulnerabilities (based on 2006-2018
> CVEs).[8]
> • About 70 percent of vulnerabilities identified in Google’s
> Chromium project are memory safety vulnerabilities.[9]
> • In an analysis of Mozilla vulnerabilities, 32 of 34
> critical/high bugs were memory safety vulnerabilities.[10]
> • Based on analysis by Google’s Project Zero team, 67 percent
> of zero-day vulnerabilities in 2021 were memory safety vulnerabilities.[11]
>
> Appendix: Memory Safe Languages
>
> C#
> Go
> Java
> Python
> Rust
> Swift
>
> Purpose
> This guidance was developed by U.S., Australian, Canadian, UK, and
> New Zealand
> cybersecurity authorities to further their respective
> cybersecurity missions,
> including their responsibilities to develop and issue
> cybersecurity specifications and mitigations.
>
> ============
> --
> Steve Jenkin, IT Systems and Design
> 0412 786 915 (+61 412 786 915)
> PO Box 38, Kippax ACT 2615, AUSTRALIA
>
> mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>
More information about the linux
mailing list