June 27, 2024 at 10:04AM
Government agencies in the US, Australia, and Canada have drawn attention to memory safety issues in open source software (OSS) code. They stress that the majority of OSS projects use code written in a memory-unsafe language, exposing organizations and users to attacks. The analysis also revealed vulnerabilities in projects written in memory-safe languages due to dependencies. The agencies recommend considering memory-safe languages for new projects and transitioning existing ones to improve security.
From the meeting notes, it is clear that government agencies in the US, Australia, and Canada are focusing on memory safety issues in open source software (OSS) code. They warn that the majority of projects utilize code written in memory-unsafe languages, leading to vulnerabilities that expose organizations and users to potential attacks.
The joint guidance document, titled “Exploring Memory Safety in Critical Open Source Projects,” highlights that over 50% of the analyzed projects contain code written in memory-unsafe languages, accounting for 55% of the total lines of code. Even projects fully written in memory-safe languages are not risk-free, as they depend on components written in memory-unsafe languages.
The guidance emphasizes that exploits of memory-safety vulnerabilities like buffer overflows and use after free can enable adversaries to take control of software, systems, and data. It also points out that critical open source projects inherit code written in memory-unsafe languages through dependencies, making a complete dependency analysis challenging.
Additionally, the agencies recommend transitioning projects to memory-safe languages and encouraging new projects to consider using memory-safe languages. They note that recent advancements allow memory safe programming languages, such as Rust, to parallel the performance of memory-unsafe languages.
It’s essential for organizations and software makers to take into consideration the guidance provided by the government agencies in order to address memory safety issues and enhance the security of open source software projects.