NSA om programmeringssprog

Gå til bund
Gravatar #1 - arne_v
12. nov. 2022 02:03

National Security Agency | Cybersecurity Information Sheet
Software Memory Safety

While developers often perform rigorous testing to
prepare the logic in software for surprising conditions, exploitable software
vulnerabilities are still frequently based on memory issues. Examples include
overflowing a memory buffer and leveraging issues with how software allocates and de-
allocates memory. Microsoft revealed at a conference in 2019 that from 2006 to 2018
70 percent of their vulnerabilities were due to memory safety issues. Google also
found a similar percentage of memory safety vulnerabilities over several years in

Commonly used languages, such as C and C++, provide a lot of freedom and flexibility
in memory management while relying heavily on the programmer to perform the needed
checks on memory references. Simple mistakes can lead to exploitable memory-based
vulnerabilities. Software analysis tools can detect many instances of memory
management issues and operating environment options can also provide some
protection, but inherent protections offered by memory safe software languages can
prevent or mitigate most memory management issues. NSA recommends using a
memory safe language when possible. While the use of added protections to non-
memory safe languages and the use of memory safe languages do not provide absolute
protection against exploitable memory issues, they do provide considerable protection.
Therefore, the overarching software community across the private sector, academia,
and the U.S. Government have begun initiatives to drive the culture of software
development towards utilizing memory safe languages.

Using a memory safe language can help prevent programmers from introducing certain
types of memory-related issues. Memory is managed automatically as part of the
computer language; it does not rely on the programmer adding code to implement
memory protections. The language institutes automatic protections using a combination
of compile time and runtime checks. These inherent language features protect the
programmer from introducing memory management mistakes unintentionally. Examples
of memory safe language include C#, Go, Java, Ruby™, Rust, and Swift.

Gå til top

Opret dig som bruger i dag

Det er gratis, og du binder dig ikke til noget.

Når du er oprettet som bruger, får du adgang til en lang række af sidens andre muligheder, såsom at udforme siden efter eget ønske og deltage i diskussionerne.

Opret Bruger Login