CISA joint guidance warns of memory safety vulnerabilities in open source projects – Business
A new joint guidance released by the U.S. Cybersecurity and Infrastructure Security Agency at partners is warning of the widespread and costly prevalence of memory safety vulnerabilities in critical open-source projects and an urgent need for software manufacturers to adopt memory-safe programming practices.
The Exploring Memory Safety in Critical Open Source Projects guidance, created by CISA in partnership with the Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre and the Canadian Centre for Cyber Security, found that that over half of the analyzed critical open-source projects contain code written in memory-unsafe languages. In simpler terms, the software includes programming languages that require manual management of memory, increasing the risk of errors that can lead to security vulnerabilities.
The guidance report reveals that 52% of analyzed critical open-source projects contain code written in memory-unsafe languages, accounting for 55% of the total lines of code across these projects. Among the biggest and most popular projects, memory-unsafe code is even more pronounced, with the top ten largest projects by lines of code found to have a median of 62.5% of their code written in memory-unsafe languages, with four projects exceeding 94% in their use of such languages.
A dependency analysis also showed that projects written in memory-safe languages often rely on components written in memory-unsafe languages, highlighting the pervasive nature of memory safety vulnerabilities. For example, dependency analysis of some projects revealed that seemingly secure projects often incorporate modules written in unsafe languages for functionalities like cryptography and system interfaces, causing them to inherit potential vulnerabilities.
The guidance notes that there is a critical need for a shift towards memory-safe programming languages that manage memory allocation and use at the compiler level, such as Rust, to significantly reduce the opportunities for human error. It’s recommended that companies and other users of open-source code exposed to memory-unsafe code should transition existing projects and initiate new projects with memory-safe languages to enhance software security.
CISA and the co-authors also call for continued research and collaborative efforts to better understand and mitigate memory safety risks.
“We encourage others to build on this analysis to further expand our collective understanding of memory-unsafety risk in OSS, evaluate approaches – such as targeted rewrites of critical components in memory-safe languages – to reducing this risk and to continue efforts to drive risk-reducing action by software manufacturers,” the guidance concludes.
Discussing the guidance, Chris Hughes, chief security advisor at software supply chain security solutions provider Endor Labs Inc. and Cyber Innovation Fellow at CISA told SiliconANGLE that the “findings are not surprising because of the long-standing use and pervasiveness of memory unsafe languages in the software development ecosystem.”
“To reduce risks, organizations need to thoroughly understand their OSS consumption as part of a broader software asset inventory,” Hughes explained. “Furthermore, organizations should understand the classes of vulnerabilities and how they are categorized, and make efforts to shift internally to memory-safe languages and adopt secure coding practices. They can also ask for transparency from their software suppliers to understand the risks in the software and products they consume when it comes to OSS.”