White House urges software developers to use memory-safe programming languages

mesh cube/Getty Images

A number of headline-making cyberattacks started with memory safety flaws, a White House cyber official said.

The White House is pushing hardware and software makers to build their products using programming languages with internally-engineered guardrails that prevent hackers from peering into the inner workings of sensitive systems, according to a report out Monday.  

The technical analysis from the White House’s Office of the National Cyber Director focuses on stopping hackers from exploiting vulnerabilities in programming languages that are not memory safe. It says that manufacturers are best positioned to do so because the foundational elements of cyberattacks are often connected to flaws in programming languages.

Certain programming tools do not internally manage memory, which contains the data and storage that makes up an application’s contents. If not managed, that data may spill over into other spaces, opening it up to exposure from hackers that can access or corrupt parts of the compromised application, leaving it open for exploitation or data theft.

Memory safety is a property of certain programming languages that allocate memory automatically, helping to prevent human errors that enable memory-linked hacks. Those languages — which include C#, Go, Java, Python, Rust and Swift — were recommended to software developers in a December advisory from the U.S. and its Five Eyes intelligence partners.

“Some of the most infamous cyber events in history — the Morris worm of 1988, the Slammer worm of 2003, the Heartbleed vulnerability in 2014, the Trident exploit of 2016, the Blastpass exploit of 2023 — were headline-grabbing cyberattacks that caused real-world damage to the systems that society relies on every day. Underlying all of them is a common root cause: memory safety vulnerabilities,” said Anjana Rajan, assistant national cyber director for technology security, in a written statement.

The guidance was previewed at a Washington, D.C.-area industry event earlier this month by National Cyber Director Harry Coker, who said at the time that, despite long-existing memory safety flaws, developers have been slow to remedy them.

Using a memory-safe language might not be feasible in some instances, but such programs are “a scalable method to substantially improve software security,” ONCD said Monday.

The White House is also encouraging the research community to think about software metrology, which focuses on the science behind software development assessments. Improved measurability techniques would better allow developers to detect software vulnerabilities earlier and patch them faster, ONCD said.