Google says it has made big steps in improving memory safety
Plugging memory-related holes requires a two-pronged approach, Google claims
In a blog post, Google has explained how it makes its software less susceptible to flaws and vulnerabilities, and thus less interesting to cybercriminals. Its approach includes two key pillars: hardening super-popular, yet unsafe, programming languages, while slowly (but surely) transitioning towards up-and-coming, memory-safe languages.
The article, by Alex Rebert of Security Foundations, and Core Developers Chandler Carruth, Jen Engel, Andy Qin, claims about 70% of severe vulnerabilities in memory-unsafe codebases are due to memory safety bugs.
These vulnerabilities are then found, and exploited, by malicious actors who can do real-world harm. Last year, the number of vulnerabilities exploited in the wild almost hit an all-time high, and of those figures, 75% CVEs used in zero-day exploits were memory safety vulnerabilities.
C and C++
Understanding these problems also means doing something about them, and Google is apparently now going for this two-pronged approach.
“Our long-term objective is to progressively and consistently integrate memory-safe languages into Google's codebases while phasing out memory-unsafe code in new development. Given the amount of C++ code we use, we anticipate a residual amount of mature and stable memory-unsafe code will remain for the foreseeable future.”
Basically, Google is saying that it is impossible to flat-out replace C and C++, despite the general consensus being that they are memory-unsafe languages. Therefore, before that migration is complete, the company will work on risk reduction and containment, which includes C++ hardening (retrofitting safety at scale in memory-unsafe code), security boundaries (strengthening critical software infrastructure components through expanded use of isolation techniques), and bug detection (investing further in bug detection tooling and innovative research).
Lastly, Google said it is “actively working” with the semiconductor and research communities on emerging hardware-based approaches to improve memory safety.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“We believe it’s important to embrace the opportunity to achieve memory safety at scale, and that it will have a positive impact on the safety of the broader digital ecosystem,” Google concludes. “This path forward requires continuous investment and innovation to drive safety and velocity, and we remain committed to the broader community to walk this path together.”
More from TechRadar Pro
- Google hails move to Rust for huge drop in memory vulnerabilities
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.