Memory Safety Vulnerabilities

After 50 years, memory safety bugs remain some of the most stubborn and most dangerous software weaknesses. As one of the leading causes of vulnerabilities, they continue to result in significant security risk . It has become increasingly clear that memory safety is a necessary property of safe software. Consequently, we expect the industry to accelerate the ongoing shift towards memory safety in the coming decade. We are encouraged by the progress already made and at other large software manufacturers.

We believe that a Secure-by-Design approach is required for high assurance memory safety, which requires adoption of languages with rigorous memory safety guarantees. Given the long timeline involved in a transition to memory-safety languages, it is also necessary to improve the safety of existing C and C++ code bases to the extent possible, through the elimination of vulnerability classes.

Half a century later, we are still dealing with memory safety bugs despite substantial investments to improve memory unsafe languages.

Like others’, Appchin’s internal vulnerability data and research show that memory safety bugs are widespread and one of the leading causes of vulnerabilities in memory-unsafe codebases. Those vulnerabilities endanger end users and the broader society.

At appchin, we have decades of experience addressing, at scale, large classes of vulnerabilities that were once similarly prevalent as memory safety issues. Based on this experience we expect that high assurance memory safety can only be achieved via a Secure-by-Design approach centered around comprehensive adoption of languages with rigorous memory safety guarantees. As a consequence, we are considering a gradual transition towards memory-safe languages.

Memory safety bugs are responsible for the majority (~70%) of severe vulnerabilities in large C/C++ code bases. Below are the percentage of vulnerabilities due to memory unsafety:

• Chrome: 70% of high/critical vulnerabilities

• Android: 70% of high/critical vulnerabilities

• Google servers: 16-29% of vulnerabilities

• Project Zero: 68% of in-the-wild zero days ]

• Microsoft: 70% of vulnerabilities with CVEs

Memory safety errors continue to appear at the top of “most dangerous bugs” lists such as CWE Top 25 and CWE Top 10 of Known Exploited Vulnerabilities . Appchin’s internal vulnerability research repeatedly demonstrates that lack of memory safety weakens important security boundaries.

Leave a Reply