Google: After using Rust, the number of memory safety vulnerabilities in Android system dropped significantly

[CSDN editor’s note] What is your most commonly used development language? Software companies and the National Security Agency are urging developers to move to memory-safe programming languages ​​to eliminate a major source of high-severity flaws, Robert Lemos, a freelance IT security writer, said in a recent article.

Original link: https://ift.tt/IGirjZ0

Translator |

Produced | CSDN (ID: CSDNnews)

Software security experts recently said that the software industry is researching and making progress against a harmful set of vulnerabilities that allow the vast majority of critical and remotely exploitable insanity attacks.

This class of so-called memory safety issues, including buffer overflows and use-after-free errors, accounts for the majority of application security issues disclosed by software companies. Currently, the latest data show that the increasing use of memory-safe languages ​​such as Java, C#, and most recently Rust has led to a rapid decline in the entire class of vulnerabilities.

For example, Google revealed that the latest version of the Android operating system has more new code written in memory-safe programming languages ​​such as Java, Rust, and Kotlin than code written in memory-unsafe languages ​​​​such as C and C++. Vulnerabilities fell from 223 to 85.

Jeffrey Vander Stoep, a software engineer at Google, said: “We will continue to focus on eliminating bugs of all types, focusing on the most severe ones. As memory safety bugs become fewer and fewer, we expect the research community to focus its vulnerability discovery efforts on other loopholes.”

Percentage of Memory Security Vulnerabilities

C and C++ have been the workhorse programming languages ​​of the software industry for decades. However, they lack the memory protections of more modern languages ​​such as C#, Go, Java, Python, Ruby, Rust, and Swift. According to application security firm Veracode’s State of Software Security Volume 11 report, 59 percent of C++ applications are critically flawed, compared with 9 percent for JavaScript and 10 percent for Python.

Buffer overflows and worms

Programmers can easily write buggy code, and this has become a major problem for large software companies. For example, Microsoft found that memory safety issues accounted for 70 percent of vulnerabilities found in the company’s software until 2018. Overall, memory safety issues account for 60%-70% of all vulnerabilities in various ecosystems, according to a 2020 study by software resilience engineer Alex Gaynor.

Veracode CTO Chris Wysopal said that these vulnerabilities are easily exploited to attack applications, so they are the root cause behind a large number of intrusions: “Memory corruption issues are among the most serious flaws because they often allow attackers to exploit code to take full control of the application, and in the worst case, even create worms that can exploit other vulnerabilities.”

Google noted in its recent blog post that while memory safety bugs account for only 36 percent of Android development, they account for 86 percent of critical security bugs and 89 percent of remotely exploitable issues.

switch to safe language

For this reason, Google and others are urging developers to adopt memory-safe languages.

As far as Google is concerned, C and C++ now account for less than half of all new code. In fact, the latest version of Android 13 is the first to write most of its code in a memory-safe language. For many developers, Rust has replaced C and C++—Rust is an efficient programming language focused on creating safe code, and even the National Security Agency is urging companies to adopt memory-safe programming languages.

However, converting a memory-safe language is not enough. While these languages ​​greatly reduce the chances of a programmer writing unsafe code, each language has a different level of protection. For this reason, the NSA also recommends that developers use a variety of application security tools, from compiler options to static scanners to runtime analysis, to harden applications as much as possible.

“Software analysis tools can detect memory management problems, and operating environment options can provide some protection, but the inherent protection provided by memory-safe software languages ​​prevents or mitigates most memory management problems,” the NSA said in the report.

Separately, Veracode’s Wysopal noted: “While memory-safe programming languages ​​are not a stand-alone solution to the problem of software vulnerabilities, they provide developers with guidance by which they can avoid some of the worst programming mistakes.”

Currently, it is difficult to generalize and explain the low number of vulnerabilities in memory-safe languages ​​because they are used differently. But if you use two different languages ​​to accomplish the same task, and one of them is memory-safe, then it will generally have fewer and less severe vulnerabilities.

The text and pictures in this article are from CSDN