Crash-level bugs — the significant gap in protection often comes from a lack of memory safety in programming languages. It has been that way since the age of punch cards emerged 75 years ago.
It’s a top 10, even arguably a top five issue.
“It is still our nemesis; it is like the Joker to the Batman,” said Anil Dash in this week’s episode of The New Stack Makers.
Dash is the vice president of developer experience at Fastly, who joined this episode of Makers to talk about the White House and its big-time focus on memory safety and why, in February, the Biden Administration called for the adoption of memory-safe programming languages and better software measurability.
Here’s how the Office of the National Cyber Director (ONCD) summarized the issues with memory safety, in particular C and C++:
“Memory safety vulnerabilities are a class of vulnerabilities affecting how memory can be accessed, written, allocated, or deallocated in unintended ways. Experts have identified a few programming languages, such as C and C++, that both lack traits associated with memory safety and also have high proliferation across critical systems.
Choosing to use memory-safe programming languages from the outset, as recommended by the Cybersecurity and Infrastructure Security Agency’s (CISA) Open-Source Software Security Roadmap, is one example of developing software in a secure-by-design manner.
High Stakes for Reliability
What’s different today compared to even 10 or 20 years ago? Programming languages can be isolated using with technologies such as Web Assembly. But we know that memory safety is essential. Java, C#, and Rust are all examples of memory-safe languages. But it takes policy for us all to solve big problems.
The stakes are different for the U.S. government. Federal officials and regulators have to think about software for everyone and the cost of failure if, for example, it involves a rocket in space. So, memory safety becomes paramount. However, they also know enterprises must update and move off legacy environments as a matter of national importance.
The discussion of space exploration shows how the government considers memory safety. Reliability is the utmost concern in an enterprise, but it becomes exponentially more important in space.
“And it’s hard to explain because, on the ground, we think two or three or five nines is a lot,” Dash said. “Right? And when you get to space, it’s 13 or 15 nines that need to be the reliability standard.”
But it’s also about resilience and predictability.
“We have missions still active, right, that are decades old, you know, 30 plus years. So that’s why you start to care about what sounds esoteric like memory safety. Any cause of bugs that endanger a mission that might run after the people creating it are still alive. That’s a different lift.”
Check out the whole episode for a deeper dive into the topic of memory safety and programming languages.
The post Best of 2024: Out With C and C++, in With Memory Safety appeared first on The New Stack.