Open-source projects are plagued with dangerous code practices, posing significant risks to security and functionality.
In a recent report, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have highlighted the use of memory-unsafe languages like C and C++ in critical open source projects as a potential security risk. The report, released on Wednesday, analysed 172 critical projects from the Open Source Security Foundation's Critical Projects Working Group and found that more than half of these projects are written in memory-unsafe languages.
The widespread use of memory-unsafe languages in critical open source projects is a cause for concern due to their inherent vulnerabilities to memory errors such as buffer overflows, use-after-free, integer overflows, and out-of-bounds reads. These memory vulnerabilities can lead to severe security breaches, system crashes, unpredictable behavior, and exploitable bugs that threaten system stability and user safety, particularly in critical systems like automotive, aerospace, and IoT devices.
Memory errors in C/C++ are notoriously hard to detect and fix, and they can cause programs to behave unpredictably or be exploited to execute malicious code, granting unauthorized access to systems. Moreover, these languages allow behaviours not defined by the language standard, leading to unpredictable and exploitable runtime effects. Malfunctions due to memory errors in embedded or high-stakes software can cause serious safety risks, and memory vulnerabilities often serve as the initial attack vector enabling attackers to inject malicious code and gain control over systems.
To address these vulnerabilities, efforts are being made to shift to memory-safe programming. This involves a combination of formal verification, compiler hardening, runtime protections, and secure development practices. Formal verification and mathematically proven memory safety tools and techniques are emerging to mathematically prove C/C++ software is free from memory errors and undefined behaviour, catching every instance of undefined behaviour at design or early development stages.
Developers also use aggressive compiler options, runtime mitigations, and secure coding standards to detect vulnerabilities early and reduce impact during execution. Modern OSes and compilers provide runtime mechanisms to harden software against exploitation, making crashes preferable to system compromises. Awareness and guidelines on common memory bugs are also being circulated to promote safer coding and analysis practices.
However, the challenge lies in the fact that development teams are often skilled in unsafe languages, or a particular software may depend on libraries that are not memory safe. The largest open source projects are disproportionately reliant on memory-unsafe languages, with four of the top 10 projects having more than 94% of their code written in these languages. The report does not specify which specific memory-unsafe languages were most prevalent among the analysed projects, but the median proportion of memory-unsafe language across the 10 largest projects was 62.5%.
Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, stated that memory-safe languages produce code with fewer exploitable defects. These memory-unsafe languages are considered susceptible to exploitation by malicious threat groups. In 2023, CISA Director Jen Easterly called for a shift to memory-safe programming languages to mitigate these risks. Major technology firms, including SAP, Hewlett Packard Enterprise, and Palantir, have backed the White House's effort to adopt memory-safe code.
As the reliance on open source software continues to grow, the need to address the security risks posed by memory-unsafe languages becomes increasingly important. By adopting memory-safe programming practices, we can help ensure the safety and reliability of critical systems and protect them from potential threats.
The report emphasizes the prevalence and potential security risks associated with memory-unsafe languages like C and C++ in critical open source projects.
Addressing these vulnerabilities by transitioning to memory-safe programming practices could reduce exploitable defects and enhance system safety and reliability.
