The Federal Government is Moving on Memory Safety for Cybersecurity

The massive appropriations bill Congress passed Friday included a Christmas present for advocates of using memory-safe coding languages to stem a significant majority of the software vulnerabilities exploited by cyber adversaries. 

“For the first time ever, Congress has included memory safety in a law, requiring the National Cyber Director to study memory safety in the government,” security researcher Jack Cable tweeted Tuesday. “The omnibus is expected to pass this week. Proud to have worked on this provision while in the Senate!”

The actual language in the snippet of the bill Cable tweeted out is a little more measured, saying the cyber director is “encouraged,” not “required,” to study and report on the issue, and leadership at the Office of the National Cyber Director is currently in flux. But other parts of the administration—the National Security Agency and the Cybersecurity and Infrastructure Security Agency—have also been paying closer attention to the impact of coding languages which don’t automatically check and control software developers’ management of memory.

“About two-thirds of the vulnerabilities that we see year after year, decade after decade,” are associated with memory management issues, CISA Senior Technical Advisor Bob Lord said during a Dec. 6 meeting of the agency’s Cybersecurity Advisory Committee.

And in a November information sheet, the NSA said: “Exploiting poor or careless memory management can allow a malicious cyber actor to perform nefarious acts, such as crashing the program at will or changing the instructions of the executing program to do whatever the actor desires.” 

“How a software program manages memory is core to preventing many vulnerabilities and ensuring a program is robust,” the agency said, recommending the use of memory safe languages when possible.

Examples of memory safe languages include Javascript, Ruby, Python and others. Unlike the more commonly used memory unsafe languages like C and C++, they can “provide considerable protections by controlling how memory is allocated, accessed, and managed,” the NSA said. 

There are tradeoffs, of course. Going through the checks inherently built into memory safe languages can be time- and resource-heavy. 

“For languages with an extreme level of inherent protection, considerable work may be needed to simply get the program to compile due to the checks and protections,” the NSA said. “Memory safety can be costly in performance and flexibility.”

But manually reviewing code for memory management mistakes can also be time- and labor-intensive, and the cost could include dealing with the fallout from a successful cyberattack.

During the Dec. 6 meeting, CISA Director Jen Easterly stressed the importance of companies making technology that is “secure by design,” which she said will require “continuing to call for that radical transparency on how software companies are building products that are in fact secure by design.”

In addition to encouraging developers to switch to memory safe programming languages, the NSA document lists specific tools that can be used to test applications for the kinds of memory-mismanagement mistakes adversaries can exploit. 

Especially considering developers’ continued reliance on software libraries that have already been coded in memory unsafe languages and workforce expertise that would be needed in both kinds of languages, the NSA acknowledged making the switch would not be a simple undertaking.

“The good news,” said Lord, “is there are new programming languages that are memory safe, and there's some other technologies and hardware and other elements that are coming down the road, so there is a solution in hand. We need to raise awareness that this is the time for organizations to take action.”