Les Bell

The US Cybersecurity & Infrastructure Security Agency is continuing its campaign for software that is secure by design by releasing a new guide aimed at both developers and their C-suites. While developers using systems programming languages like C, C++ and - most of all - assembler are aware of the problems associated with memory management in those languages, fixing those problems has seemed to be an intractable problem.

We've come up with a range of controls to mitigate memory vulnerabilities, from programmer education through code analysis tools to runtime techniques such as stack offset randomization - and yet memory problems remain with us: just last year, Google reported that use-after-free errors accounted for half of the exploitable bugs in the Chrome browser, while about 70 percent of Microsoft CVE's (over the 2006-2018 timeframe) were memory safety vuln's.

Clearly, many of these techniques are not being applied; either they are seen as speed bumps which will slow development and delay product release, or there is no budget, or they are simply overlooked. The most sure-fire way to achieve memory safety is to switch to the use of modern, memory-safe languages such as Go and Rust, but that is an even greater hurdle, requiring programmer retraining, re-tooling and sourcing new libraries and subsystems. This cannot be achieved without senior management backing, which is why CISA's new guide, The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, is intended for the C-suite as well as developers.

The 23-page guide, which was jointly developed with international partners, provides a comprehensive overview of both current and emerging memory safety techniques, including

• Developer training
• Code coverage
• Secure coding guidelines
• Fuzzing
• SAST/DAST
• Safer language subsets
• Non-executable memory
• Control flow integrity
• Address Space Layout Randomization
• Other compiler mitigations
• Sandboxing
• Hardening memory allocators
• Hardware-based mitigation techniques

It then turns to the case for memory-safe languages, and lays out a strategy for planning the transition to such languages, from language selection through managing staff capabilities and resourcing. It also delves into related issues, such as the requirement for tertiary education in computer science to be updated, and the special considerations for operational technology, low-power and IoT systems.

The Case for Roadmaps

The goal is for software publishers to write and publish their memory safety roadmaps, in line with the secure by design principles of (1) taking ownership of their security outcomes, (2) adopting radical transparency, and (3) taking a top-down approach to developing secure products. Such a roadmap should include:

• Defined phases with dates and outcomes
• A date after which all code will be written solely in a memory-safe language
• Internal developer training and integration plan
• A plan to handle dependencies on libraries - many of them open-source - which are written in C and C++
• A plan to ensure transparency via regular public updates
• A CVE support program plan, with reports that provide detail about coding errors

This is going to require buy-in from senior management and even boards. But this shouldn't be a problem: the widespread publicity associated with breaches attributable to vulnerable software products can be highly damaging. Most security professionals can rattle off a list of brands which have suffered reputation damage in recent months, let alone over the years.

The guide also provides a list of external resources and a brief overview of the major memory-safe languages

CISA, The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, technical report, 6 December 2023. Available online at https://www.cisa.gov/resources-tools/resources/case-memory-safe-roadmaps.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.