Government agencies in the US, Australia, and Canada are drawing attention to memory safety issues in open source software (OSS) code, warning that most projects vastly use code written in a memory-unsafe language.
The use of such code introduces memory safety vulnerabilities that expose organizations and users to attacks, CISA, the FBI, Australia’s Cyber Security Center (ACSC), and the Canadian Centre for Cybersecurity (CCCS) note in their joint guidance.
The document, titled Exploring Memory Safety in Critical Open Source Projects (PDF), was published half a year after government agencies in the US, UK, Canada, Australia, and New Zealand released recommendations for software makers to eliminate memory safety bugs.
An analysis of 172 projects from the Open Source Security Foundation (OpenSSF) critical projects list shows that more than half of them contain code written in a memory-unsafe language, and that such code accounts for 55% of the total lines of code (LoC) in these projects.
“The largest projects are disproportionately written in memory-unsafe languages. Of the ten largest projects by total LoC, each has a proportion of memory unsafe LoC above 26%. The median proportion using memory-unsafe languages across the ten projects is 62.5% and four of the ten project proportions exceed 94%,” the authoring agencies say.
The analysis also revealed that even projects fully written in memory-safe languages are not risk free: each of the three such projects analyzed (Ansible, Distribution, and Home Assistant) depend on components written in memory-unsafe languages.
“Mistakes, which inevitably occur, can result in memory-safety vulnerabilities such as buffer overflows and use after free. Successful exploitation of these types of vulnerabilities can allow adversaries to take control of software, systems, and data,” the guidance reads.
The government agencies also note that the largest OSS projects, which include Chromium, the Linux kernel, gecko-dev, kvm, and linux-yocto-contrib, have over 25 million LoC, “much of which is written in memory-unsafe languages”.
In fact, the analysis revealed that, while the Chromium and Gecko web browser frameworks use memory-unsafe languages throughout roughly half of their code, the Linux kernel predominantly uses them.
“We observed that many critical open source projects are partially written in memory-unsafe languages and limited dependency analysis indicates that projects inherit code written in memory-unsafe languages through dependencies,” the guidance reads.
According to the authoring agencies, memory-unsafe and non-executable languages and file types to be taken into consideration include Assembly, C, C++, C/C++ Header, Cython, D, CSV, diff, HTML, INI, JavaScript Object, Notation (JSON), Markdown, reStructuredText, Text, Web Services Description, XHTML, XML, XSD, XSLT, and YAML.
The agencies note that assessing memory safety at scale is very difficult, especially since performing a complete dependency analysis is unlikely, and that performance and resource constraints will lead to the continuous use of memory-unsafe languages, especially in system kernels and drivers, networking, and cryptography.
“It may, however, be an effective security investment to transition these types of projects to memory safe languages, and new projects should also consider using memory safe languages. Recent advancements allow memory safe programming languages, such as Rust, to parallel the performance of memory-unsafe languages,” the agencies note.
Related: US, Allies Publish Guidance on Securing Network Access
Related: US Government Releases Guidance on Securing Election Infrastructure
Related: NSA Publishes Guidance on Mitigating Software Memory Safety Issues
