National Security Agency
NSA Issues Software Memory Safety Guidance
According to the Software Memory Safety Cybersecurity Information Sheet, hackers can exploit poor memory management issues to access sensitive information, execute unauthorized code, crash programs and compromise memory settings. The guidance also noted that the flexibility and freedom in commonly used coding languages, such as C and C++, leave room for mistakes, which can lead to exploitable vulnerabilities.
NSA’s guidance noted that software analysis tools can detect issues and offer some protection, but code can be further protected by using memory-safe software languages. Another recommendation is to use code-hardening defenses like compilers and operating system configurations to protect data, NSA said.
Neal Ziring, cybersecurity technical director at the NSA, said memory management exploitation is still common even though hackers have been taking advantage of the vulnerability for decades. He urged developers to exercise caution and protect their codes when developing software to prevent cyber actors from attacking.
Data from Microsoft revealed in 2019 that between 2006 and 2018, 70 percent of vulnerabilities were caused by memory safety issues. Likewise, Google shared that a similar percentage of memory safety vulnerabilities were found in the Chrome browser.
Some of the coding languages that NSA said are memory-safe are C#, Java, Ruby, Rust and Swift. The agency reminded users that even though these languages are considered safe, software will still have to perform unsafe memory management functions from time to time to accomplish certain tasks.
The natural tendency to turn to unsafe checks puts developers at risk of performing risky memory management tasks. Developers are urged to exercise vigilance even when using the aforementioned languages.
Tags: cyber threat cybersecurity National Security Agency Neal Ziring Software Memory Safety Cybersecurity Information Sheet software memory safety issues