The government would prefer it if you stopped programming tools in C or C++. In a new report, the White House Office of the National Cyber Director (ONCD) has called on developers to use “memory-safe programming languages,” a category which excludes the popular languages. The advice is part of U.S. President Biden’s Cybersecurity strategy and is a move to “secure the building blocks of cyberspace.”
Memory safety refers to protection from bugs and vulnerabilities which deal with memory access. Buffer overflows and dangling pointers are examples of this. Java is considered a memory-safe language due to its runtime error detection checks. However, C and C++ both allow arbitrary pointer arithmetic with direct memory addresses and no bounds checking.
In 2019, Microsoft security engineers reported that around 70% of security vulnerabilities were caused by memory safety issues. Google reported the same figure in 2020, this time for bugs found in the Chromium browser.
“Experts have identified a few programming languages that both lack traits associated with memory safety and also have high proliferation across critical systems, such as C and C++,” the report reads. “Choosing to use memory safe programming languages at the outset, as recommended by the Cybersecurity and Infrastructure Security Agency’s (CISA) Open-Source Software Security Roadmap is one example of developing software in a secure-by-design manner.”
The goal of the 19-page report is to ensure that responsibility for cybersecurity does not just lie in the hands of individuals and small businesses. Instead, the responsibility lies with larger organizations, tech companies, and ultimately the government.
The report details what it considers to be “unsafe” programming languages, namely C and C++. We’re not here to debate the pros and cons of programming languages, but it is interesting to see that the report does not suggest a specific language in their place. We are told that there are “dozens of memory-safe programming languages that can — and should — be used.”
The ONCD has asked that companies and engineers to adopt best practices in software development and adopt memory-safe hardware in order to reduce the attack surface by which malicious actors can attack. The report itself did not detail what it considers memory safe programming languages to be. However, in November 2022, the National Security Agency (NSA) issued a cybersecurity information sheet that detailed the programming languages it considers to be memory-safe.
NSA Suggested Memory-Safe Programming Languages
- Rust
- Go
- C#
- Java
- Swift
- JavaScript
- Ruby
How popular are the suggested programming languages? Checking the TIOBE index, an indicator of programming language popularity, we see that Python is at number one. Of the NSA preferred options, C# is at position five, Java is at position four, JavaScript at six and Go is at eight. Bringing up the rear are Swift at 16, Rust at 18 and Ruby just squeaks in at 20. So the NSA’s chosen languages are in the top 20, but only four of the seven are “popular” with developers.
The report also calls for better measurements of software security. ONCD has the belief that better metrics enable technology providers to better plan, anticipate, and mitigate vulnerabilities before they become a problem.
In part two (page 8), the report recalls the Apollo 13 mission, a mission that NASA classified as a “successful failure.” The mission suffered a catastrophic failure that saw the three astronauts improvise repairs and mitigate a number of issues in order to return safely home. The need for memory-safe code also impacts the space program, and the report details that a memory-safe language, one that is as close to the kernel as possible, should be used lest we have a future incident.
This report is the latest in a series of steps taken by the U.S. government. In March 2023, President Biden signed a cybersecurity executive order [PDF] that kicked off processes to secure software and hardware, while also forging relationships in the tech industry.
As more and more of our world becomes digital first, the need for better coding becomes more important. Bad code can be used maliciously to exploit weaknesses. The report highlights the Log4j vulnerability from December 2021, in which an open-source Java logging library, Log4j, was exploited via a zero-day vulnerability called Log4Shell
