CISA Report: Memory Safety Risks in Critical Open Source Projects
Open-source projects are the cornerstone of modern software infrastructure, powering everything from web browsers to mobile apps and cloud services. These projects, contributed to and maintained by communities worldwide, enable innovation and collaboration on an unprecedented scale. However, a recent study by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) sheds light on a critical issue: memory safety in open-source software.
CISA’s Findings on Open-Source Projects
In collaboration with the Federal Bureau of Investigation (FBI) and cybersecurity organizations from Australia (ASD, ACSC) and Canada (CCCS), CISA has published a report on 172 key open-source projects. This research aims to determine their susceptibility to memory flaws, following up on the ‘Case for Memory Safe Roadmaps‘ released in December 2023. The report underscores the importance of writing memory-safe code to enhance software security.
Understanding Memory Safety
Memory safety refers to the ability of programming languages to prevent common memory-related errors such as buffer overflows and dangling pointers. Memory-safe languages automatically manage memory allocation and deallocation, significantly reducing the risk of errors and minimizing the burden on developers.
Examples of Memory-Safe Languages
Rust: Known for its borrow checker, Rust eliminates data races and ensures safe memory access.
Golang, Java, C#, Python: These languages manage memory through garbage collection, automatically reclaiming freed memory to prevent exploitation.
Memory-Unsafe Languages
Languages like C, C++, Objective-C, Assembly, Cython, and D do not provide built-in memory management mechanisms. Developers must manually manage memory, which increases the likelihood of errors and vulnerabilities.
Widely Used Open-Source Code Unsafe
CISA’s report reveals that over half of the critical open-source projects analyzed contain memory-unsafe code. Key findings include:
- 52% of the projects contain code written in memory-unsafe languages.
- 55% of the total lines of code (LoC) across these projects are memory unsafe.
- The largest projects have a disproportionate amount of memory-unsafe code, with the ten largest projects exceeding 26% memory-unsafe LoC.
- The median proportion of memory-unsafe LoC in these large projects is 62.5%, with four projects exceeding 94%.
- Even projects written in memory-safe languages often rely on components written in memory-unsafe languages.
Notable examples include:
- Linux: Unsafe code ratio 95%
- Tor: Unsafe code ratio 93%
- Chromium: Unsafe ratio 51%
- MySQL Server: Unsafe ratio 84%
- glibc: Ratio 85%
- Redis: Ratio 85%
- SystemD: Ratio 65%
- Electron: Ratio 47%
Challenges and Recommendations
Software developers face significant challenges that often necessitate using memory-unsafe languages. These challenges include resource constraints, performance requirements, and the need to implement low-level functionalities like networking, cryptography, and operating system functions. CISA also highlights the issue of developers disabling memory-unsafe features to meet specific requirements, further increasing risks.
To enhance the security of open-source projects, CISA recommends the following:
Write New Code in Memory-Safe Languages: Languages like Rust, Java, and Go are preferred.
Transition Existing Projects: Critical components should be migrated to memory-safe languages.
Follow Safe Coding Practices: Developers should manage and audit dependencies carefully.
Continuous Testing: Perform status analysis, dynamic analysis, and fuzz testing to detect and address memory safety issues.
Conclusion
The findings of CISA’s research highlight a crucial need for the open-source community to prioritize memory safety. By adopting memory-safe languages and practices, developers can significantly reduce vulnerabilities in open-source software, making it more secure for everyone. As open-source projects continue to grow in importance and scale, ensuring their safety and reliability is paramount.
The sources for this article include a story from BleepingComputer.