Inside Google’s “promising and pragmatic” approach to fixing software development’s memory safety problem

Google has reaffirmed its commitment to bolstering the security of memory unsafe codebases, acknowledging the transition toward memory safety will be a gradual one.

In a recent security blog post, Google outlined its two-pronged approach to advancing memory safety. This comprises advocating for the wider adoption of memory safe languages like Rust or Python while also not abandoning those using memory unsafe languages like C and C++.

The post begins by restating that error-prone interactions between software and memory are widely understood to pose a significant weak point attackers can exploit. According to Google, 70% of severe vulnerabilities in memory unsafe codebases are the result of memory safety bugs, which threat actors look to exploit in the wild.

In 2023, Google’s threat intelligence arm found the number of this type of vulnerability being exploited in the wild was close to an all time high. Based on its internal analysis, Google estimated that 75% of CVEs used in zero day exploits are memory-safety vulnerabilities.

Assessing how far the company has come in its journey towards eliminating these weaknesses, Google said memory safe languages comprise a large portion of its code, but some of the company's code used for high-performance demands is still written in C++.

The blog acknowledged that legacy code written in memory unsafe languages cannot be replaced immediately, and as a result, there needs to be a continued effort to make these programming languages as robust as possible while they are still in use in critical systems.

"Given the amount of C++ code we use, we anticipate a residual amount of mature and stable memory-unsafe code will remain for the foreseeable future," Google stated.

Google’s ‘pragmatic approach’ acknowledges limitations

Google said its long-term objective is to progressively and consistently integrate memory-safe languages into its codebases as it gradually phases out use of unsafe code in any new projects.

The company claimed it has embraced memory-safe languages such as Java, Kotlin, Go, and Python for a large portion of its code. Google’s next goal is to ‘ramp-up’ memory-safe languages that have the capabilities needed to replace C++ in certain environments.

Speaking to ITPro, Ross Bamford, principal software engineer at CreateFuture, said Google’s strategy is a practical one that understands it;s not feasible to initiate a total sea change in programming languages overnight.

“Google's approach is pragmatic: rewriting all legacy C/C++ code is neither feasible nor necessary. Instead, they are driving the adoption of memory-safe languages like Java, Python, and Go for new projects, while focusing on securing existing C/C++ codebases,” he explained.

“This is a well-considered balance, given the realities of modern software ecosystems. Moreover, their investment in ensuring interoperability between these languages is a key move - considering the vast amount of existing infrastructure written in C and C++, easing integration is a substantial advantage.

Bamford further elaborated that data shows focusing on the use of memory safe languages in new projects is vital, but for the moment C and C++ has a place in the market.

“Google's data indicates that five-year-old code has a significantly lower vulnerability density - 3.4x to 7.4x fewer vulnerabilities - so focusing on new, memory-safe development is the right call,” he said.

“Modern languages like Rust, along with garbage-collected and dynamic languages, are frequently better technical choices today. However, C and C++ still hold a place, though often they are chosen more out of habit or outdated engineering practices rather than necessity.”

He added that businesses should remember that memory-safe languages, although necessary, aren’t not a solution to all their problems. They constitute an easy win to eliminate a raft of vulnerabilities and the rest of the industry should follow suit, but Bamford noted there are a number of other factors that could leave businesses vulnerable.

“It's important to remember that memory-safe languages are not a panacea. They reduce many common classes of vulnerabilities, but we cannot afford complacency - poor system architecture or suboptimal algorithm choices can still lead to significant issues,” he warned.

“Overall, Google's strategy is a promising and pragmatic step towards fostering more secure coding practices. This is a direction the industry should pay close attention to.”