The memory safety of programming languages has been a hot topic for a number of years in the development community.
Popular, high-performance languages like C and C++ suffer from the same weakness, namely they are vulnerable to bugs associated with how they use memory, which threat actors can take advantage of.
Common classes of memory safety vulnerabilities are buffer overflow, out of bounds read/write, and use after free bugs, all of which exploit weaknesses in the way the underlying language manages memory.
Unlike memory safe languages (MSLs) such as Rust, Python, or Java, C and C++ have leave much of the security burden on developers, where sloppy coding practices and slapdash code testing can lead to security vulnerabilities that threat actors can exploit to gain access to arbitrary files or inject malicious code.
Speaking at the BlueHat security conference 2019, Matt Miller a Microsoft engineer declared that around 70% of all software vulnerabilities addressed in yearly security updates for Microsoft products were memory safety issues.
In 2023, internal analysis at Google estimated that 75% of CVEs used in zero day exploits targeted memory safety vulnerabilities, and Google predicted that 70% of severe vulnerabilities in memory unsafe codebases stem from bugs of this kind.
The issue has reached such an extent that the National Security Agency (NSA) published guidance in 2022 recommending organizations only use memory safe languages (MSLs) when possible to avoid exploitation.
The agency reiterated this recommendation alongside international partners in 2023, urging C-suite executives and technical experts to take memory safe coding seriously.
“With this guidance, the authoring agencies urge senior executives at every software manufacturer to reduce customer risk by prioritizing design and development practices that implement MSLs,” said the NSA in a joint statement.
“Additionally, the agencies urge senior executives at every software manufacturer to create and publish memory safe roadmaps that detail how they will eliminate memory safety vulnerabilities in their products.”
Smoothing the transition to memory safety
NSA’s initial call for technology leaders to be wary of the dangers associated with memory unsafe languages noted that this transition would not be easy.
“It is not trivial to shift a mature software development infrastructure from one computer language to another. Skilled programmers need to be trained in a new language and there is an efficiency hit when using a new language,” the NSA warned.
“While another approach is to hire programmers skilled in a memory safe language, they too will have their own learning curve for understanding the existing code base and the domain in which the software will function.”
The US’s Defense Advanced Research Projects Agency (DARPA) launched the TRACTOR program, for example, to accelerate the transition with the help of AI.
The TRACTOR program aims to use LLMs as well as static and dynamic analysis to automate the code translation process as much as possible, taking some of the strain off programmers.
Meanwhile, Google announced its ‘two-pronged’ approach to advancing memory safety in October, which comprises a push to encourage the adoption of MSLs, while also working to bolster the resilience of unsafe languages like C++.
The blog post announcing the approach acknowledged that the sheer amount of C++ code still in use, securing these codebases is vitally important.
“Given the amount of C++ code we use, we anticipate a residual amount of mature and stable memory-unsafe code will remain for the foreseeable future.”
As a result, software developers face a significant challenge to convert existing codebases into memory safe languages, but how can organizations implement a seamless transition in years to come?
Organizations need to prioritize security culture to expedite code translation
Vitor Monteiro, CTO at Uniflow and lecturer at Universidade Lusófona in Portugal, stressed the importance of switching from C and C++ to their more robust counterparts, but agreed the transition will feature a number of hurdles for software developers.
"The transition from memory-unsafe languages like C and C++ to safer options like Rust, Java, and Swift is increasingly urgent, given the security vulnerabilities tied to memory management issues,” he noted.
“However, this shift is complex, as it involves not only reworking vast amounts of legacy code but also addressing performance concerns, limited developer expertise, and organizational resistance to change.”
Monteiro added that although DARPA’s TRACTOR program and Google’s approach both look to alleviate some of the pain associated with making the switch, organizations will also need to make significant investments in upskilling their developer teams, and foster a stronger security culture among programmers.
“While initiatives like DARPA’s TRACTOR programme and Google's recent migration efforts aim to smooth the transition through automation and advocacy, the path is still challenging and resource intensive,” he explained.
“Organizations can make progress by adopting memory-safe languages in new projects, prioritizing training to bridge the skill gap, and embedding a security-first mindset into their development culture. Balancing these steps allows them to reduce vulnerabilities gradually while preparing for a more widespread industry shift in the coming years."
