September 25, 2024 at 03:34PM
The shift in Android vulnerabilities caused by memory safety issues from 76% in 2019 to 24% in 2024 highlights Google’s adoption of memory-safe languages like Rust. This strategy retains older code with minimal changes focused on security fixes, while prioritizing new code in memory-safe languages. Google emphasizes proactive prevention over reactive fixes, aiming for long-term assurance.
From the meeting notes, it is clear that Google has made significant progress in improving the memory safety of the Android platform. Over the years, the percentage of Android vulnerabilities caused by memory safety issues has decreased dramatically, from 76% in 2019 to only 24% in 2024, representing a decrease of over 68% in five years.
This improvement was achieved through a strategic approach that prioritized writing new code in memory-safe languages like Rust, while maintaining and securing older code with minimal changes focused on important security fixes rather than extensive rewrites. Google’s report highlighted the importance of making interoperability safe and convenient as a primary capability in their memory safety journey.
The meeting notes also discuss the four main stages that the industry, including Google, has gone through in dealing with memory safety flaws: reactive patching, proactive mitigations, proactive vulnerability discovery, and high-assurance prevention (Safe Coding). The latest approach emphasizes preventing vulnerabilities at the source by using memory-safe languages like Rust, providing scalable and long-term assurance.
Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about the security risks associated with memory-unsafe languages and recommended that software developers write new code in memory-safe languages such as Rust, Java, and GO, and transition existing projects, especially critical components, to those languages.
In summary, the meeting notes highlight Google’s successful efforts in improving memory safety in the Android platform, as well as the industry’s shift towards using memory-safe languages to mitigate security risks.