• Google says it has made big steps in improving memory safety

    From TechnologyDaily@1337:1/100 to All on Friday, October 18, 2024 12:15:05
    Google says it has made big steps in improving memory safety

    Date:
    Fri, 18 Oct 2024 11:02:00 +0000

    Description:
    C and C++ aren't going away any time soon.

    FULL STORY ======================================================================

    In a recently published blog post , Google explained how it makes its
    software less susceptible to flaws and vulnerabilities, and thus less interesting to cybercriminals. Its approach includes two key pillars: hardening super-popular, yet unsafe, programming languages, while slowly (but surely) transitioning towards up-and-coming, memory-safe languages.

    Earlier this week, Alex Rebert of Security Foundations, and Core Developers Chandler Carruth, Jen Engel, Andy Qin, wrote an article saying that about 70% of severe vulnerabilities in memory-unsafe codebases are due to memory safety bugs.

    These vulnerabilities are then found, and exploited , by malicious actors who can do real-world harm. Last year, the number of vulnerabilities exploited in the wild almost hit an all-time high, and of those figures, 75% CVEs used in zero-day exploits were memory safety vulnerabilities. C and C++

    Understanding these problems also means doing something about them, and
    Google is apparently now going for this two-pronged approach.

    Our long-term objective is to progressively and consistently integrate memory-safe languages into Google's codebases while phasing out memory-unsafe code in new development. Given the amount of C++ code we use, we anticipate a residual amount of mature and stable memory-unsafe code will remain for the foreseeable future.

    Basically, Google is saying that it is impossible to flat-out replace C and C++, despite the general consensus being that they are memory-unsafe languages. Therefore, before that migration is complete, the company will
    work on risk reduction and containment, which includes C++ hardening (retrofitting safety at scale in memory-unsafe code), security boundaries (strengthening critical software infrastructure components through expanded use of isolation techniques), and bug detection (investing further in bug detection tooling and innovative research).

    Lastly, Google said it is actively working with the semiconductor and
    research communities on emerging hardware-based approaches to improve memory safety.

    We believe its important to embrace the opportunity to achieve memory safety at scale, and that it will have a positive impact on the safety of the
    broader digital ecosystem, Google concludes. This path forward requires continuous investment and innovation to drive safety and velocity, and we remain committed to the broader community to walk this path together. More from TechRadar Pro Google hails move to Rust for huge drop in memory vulnerabilities Here's a list of the best firewalls today These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/google-says-it-has-made-big-steps-in-im proving-memory-safety


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)