White House Urges Switching to Memory-Safe Languages

The Office of the National Cyber Director's latest technical report has urged developers to shift to using memory-safe programming languages in a bid to reduce the number of memory-safety vulnerabilities in software.

"For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way," said Anjana Rajan, Assistant National Cyber Director for Technology Security, in a statement. The report is intended to help engineers make the architecture and design decisions about the software building blocks they use.

Use of memory-safe programming languages has long been touted as a way to prevent memory-safety attacks, such as buffer overflows, in applications. Techniques such as Data Execution Protection (DEP) and Address-Space Layout Randomization (ASLR) make it harder for adversaries to carry out memory-safety attacks. There are safe string-handling libraries that developers should use to prevent memory issues in their code. There are also multiple projects with the aim to rewrite widely used libraries using languages such as Rust.

The fact that these attacks are still prevalent underscores the challenge of rewriting code. Considering that Java and .NET provide memory safety, many enterprise software and mobile apps are already written in memory-safe languages. The hard part is making changes to existing non-Java and non-.NET software systems, which are not currently memory safe, especially since they tend to be deeply entrenched in the infrastructure. The effort to remove them for a memory-safe alternative would be "non-trivial," according to Tim Wade, deputy chief technology officer at Vectra AI. One option would be to prioritize buying software written in a memory-safe language going forward, rather than trying to replace existing systems.

"We're doing this because available data on common vulnerabilities and exposures identify it as one of the most pervasive class of bugs for decades. It is clear that the creators of software and of hardware are best positioned to address this problem," National Cyber Director Harry Coker said on a call with reporters. "Not all programming languages are created equal, and some are inherently more unsafe."