Half of critical open source projects contain memory-unsafe code, U.S. cyber agency says

Maximusnd/Getty Images

The findings come after recent hijacking attempts into major open-source tools.

Over half of critical open source tools are underpinned by code that does not internally manage memory spillover risks, opening them up to potential exploitation by hackers, according to findings released by Cybersecurity and Infrastructure Security Agency on Wednesday.

The agency estimates that 52% of 172 projects listed by the influential Open Source Security Foundation contain code written in languages that are memory-unsafe. And 55% of the total lines of code for all the projects were written in a memory-unsafe language, adds the paper, which includes signatories from Australia’s and Canada’s cyber directorates.

Certain computer programming languages do not internally manage memory, which contains the data and storage that makes up an application’s contents. If not managed, that data may spill over into other spaces, leaving it open for exploitation or theft by hackers that can access parts of the compromised application.

Memory safety is a property of some programming tools that allocates memory automatically, helping to prevent human errors that open up software to memory-linked hacks. CISA and other U.S. cyber authorities have been pushing developers to solely use memory-safe code, though a paradigm shift would be a major undertaking for organizations who have propped up their systems on varied code types.

Each of the 10 largest open-source projects had at least a quarter of their underlying code backed by memory-unsafe languages, the report added. 

The findings come after recent intrusion attempts into open-source tooling, which can be particularly risky because such applications are free to download and often make up large parts of IT stacks used by government agencies and the private sector. 

The projects rely on contributions from community members to keep them updated with patches. The updates are discussed on forums with volunteer software maintainers, who chat with one another about proposed changes. 

But traditional community practices have relied on the assumption that all contributors are well-meaning. That notion was challenged in late February when a user dubbed “Jia Tan” tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in companies like Snapchat, Robinhood and Instacart.

OpenSSF unveiled a mailing list last month to help contributors and end users alert each other about open-source project vulnerabilities being exploited by hackers.