[clug] ASD/ Five Eyes report on "Memory Safe" languages

Brenton Ross rossb at fwi.net.au
Fri Dec 8 11:16:40 UTC 2023 

I suppose the good news is that C# and Java seem to be the most popular
languages for new business applications, and Python seems popular to in
the academic and engineering fields.

For my favourite, C++, it can be easily used in a memory safe manner. I
think its steadily getting better in this regard.

The area of concern is where memory and CPU power are in short supply
which leads to C code (or assembler). Its all very well creating robust
applications for servers and desktops but having your network
compromised by a smart light bulb.

Brenton

On Fri, 2023-12-08 at 08:48 +1100, steve jenkin via linux wrote:
> This is not going to stop C and other off-list tools being used in
> FOSS projects,
> but might prompt efforts to address Known Problems like buffer over-
> runs and stack smashing.
> 
> You’ll note that All Your Favourite Multinationals get a Guernsey,
> but half the languages on the list are FOSS.
> 
> A significant accomplishment IMHO.
> 
> At what point do you think the Fed Govt is going to mandate “memory
> safe” for new internal projects, then all software?
> 
> And when will that be extended, if ever, to systems & software
> purchased by FedGov?
> I don’t know. [ When Microsoft announces they’re converting to ‘C#’?
> ]
> 
> I tried to look up the number of exploits in Winders vs The Rest and
> struck out. [ links below. Debian is #1 in their CVE catalog ]
> 
> This in the light of Britain declaring Russian interference in their
> 2019 General Election with two Russians being charged.
> While ’spearphising’ is a social exploit, it can only install code
> that stays hidden if the platform has significant vulnerabilities.
> 
> 	<
> https://abcnews.go.com/Technology/wireStory/uk-russias-intelligence-service-sustained-attempts-meddle-british-105451402
> >
> 	<https://www.bbc.com/news/uk-politics-67647548>
> 
> [ I loved the irony of the website using PHP, notorious for being
> exploited, but these guys will, hopefully, be diligent protecting
> against exploits ]
> 
> 	Security Vulnerabilities in CISA KEV Catalog, sorted by EPSS
> (Exploit Probability Score)
> 		<
> https://www.cvedetails.com/cisa-known-exploited-vulnerabilities/kev-1.html
> >
> 
> 	Top 50 Products By Total Number Of "Distinct" Vulnerabilities
> 		<https://www.cvedetails.com/top-50-products.php?year=0>
> 
> ============
> 
> The Case for Memory Safe Roadmaps
> 	<
> https://www.cyber.gov.au/about-us/view-all-content/publications/case-memory-safe-roadmaps
> >
> 
> 	Memory safety vulnerabilities are the most prevalent type of
> disclosed software vulnerability
> 
> 	Modern industry reporting indicates defects first identified
> over 25 years ago 
> 	remain common vulnerabilities exploited by malicious actors
> today to routinely compromise applications and systems.[7] 
> 	Yet, according to modern industry reporting, these
> vulnerabilities remain common, 
> 	and malicious actors routinely exploit them to compromise
> applications and systems:
> 
> 	    • About 70 percent of Microsoft common vulnerabilities and
> exposures (CVEs) are memory safety vulnerabilities (based on 2006-
> 2018 CVEs).[8]
> 	    • About 70 percent of vulnerabilities identified in
> Google’s Chromium project are memory safety vulnerabilities.[9]
> 	    • In an analysis of Mozilla vulnerabilities, 32 of 34
> critical/high bugs were memory safety vulnerabilities.[10]
> 	    • Based on analysis by Google’s Project Zero team, 67
> percent of zero-day vulnerabilities in 2021 were memory safety
> vulnerabilities.[11]
> 
> Appendix: Memory Safe Languages
> 
> 	C#
> 	Go
> 	Java
> 	Python
> 	Rust
> 	Swift
> 
> Purpose
> 	This guidance was developed by U.S., Australian, Canadian, UK,
> and New Zealand
> 	 cybersecurity authorities to further their respective
> cybersecurity missions,
> 	including their responsibilities to develop and issue
> cybersecurity specifications and mitigations.
> 
> ============
> --
> Steve Jenkin, IT Systems and Design 
> 0412 786 915 (+61 412 786 915)
> PO Box 38, Kippax ACT 2615, AUSTRALIA
> 
> mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
> 
>

More information about the linux mailing list