The Underappreciated Criticality of Memory Safety

Memory safety is having a moment. Last Friday, the White House Office of the National Cyber Director (ONCD), in partnership with CISA, the National Science Foundation, DARPA, and the OMB, announced a request for information on the development of memory-safe languages and more secure techniques of developing software.

The project’s origins rest with the notorious Log4j exploit, which threatened millions of software programs around the world. In addition, rising tensions with China are causing increased (and long overdue, in my view) concerns about the vulnerability of American critical infrastructure and military systems to sophisticated cyberattacks.

Last month, The New York Times revealed that the US Military was actively hunting for Chinese malware that could incapacitate its operations. Then, last Saturday, at Def Con, CISA Director Jen Easterly sounded the alarm that China may attack critical infrastructure in the US as part of a conflict in the Taiwan Straits. Memory safety, a relatively esoteric but nonetheless crucial area of cyber defense, plays a key role in mitigating these risks.

In a memory attack, a malicious actor compromises compiled software code when it’s active in a computer’s memory. There are a wide variety of memory attacks, but most exploit functions that allocate memory to software execution, such as “buffer overflows.” With control over the software in memory, that attacker can wreak havoc on a system and its data.

“If you compromise software at the memory level, then you can take remote control of the execution of the software and do whatever you wish to do.” – Joe Saunders, Founder and CEO of RunSafe Security

According to Saunders, Founder and CEO of RunSafe Security, a maker of cyberhardening technology for embedded systems and devices and industrial control systems, “If you compromise software at the memory level, then you can take remote control of the execution of the software and do whatever you wish to do. You can exfiltrate data. You can even perpetrate a kinetic attack, such as crashing a vehicle. It’s a big area of risk exposure, in national security terms.”

Joe Saunders

Microsoft and Google claim that memory-based vulnerabilities represent 70% or more of the vulnerabilities in software. And, while these attacks are difficult to execute, they are well within the capabilities of advanced hackers, especially ones backed by nation states. It certainly seems that the ONCD and CISA are worried about memory safety vulnerabilities when they talk about threats from China and others.

As Saunders further elaborated, memory-based vulnerabilities are inherent in the Linux operating system and applications built on real time operating systems (RTOS’s), which are deployed across critical infrastructure. Older programming languages, such as C and C++, are particularly vulnerable.

To this point, NSA came out with guidance in November of 2022 that called for improved memory safety. The ONCD offered similar guidance in its National Cybersecurity Strategy in March of 2023. Both sets of guidance call for remediation of memory-based vulnerabilities. An emerging recommendation is to change software running government, military, and critical infrastructure systems from C and C++ to “memory safe” languages like Rust or Go.

This, of course, would be a total nightmare. One is reminded of the wonderful scene in Woody Allen’s 1971 film “Bananas,” when the power-drunk dictator, played by Carlos Montalban, declares that everyone in the nation of San Marcos must change their underwear twice a day. And, in order for the authorities to be able to enforce this new law, “everyone must wear their underwear on the outside.”

“Take a company like Schneider Electric. They can’t just rewrite their software in memory safe languages.” – Joe Saunders

As Saunders explained, “Take a company like Schneider Electric. They can’t just rewrite their software in memory safe languages. Why? Because they have thousands of products. And, those products have 10 to 30-year lifespans. Yes, in theory, they can do it, but in reality, this is a multi-year project—and the risks are happening right now.”

RunSafe offers a solution which protects memory without requiring a software rewrite. If companies and government entities want to meet the goals set out by the NSA, CISA and others, they are going to need this kind of technology. Replacing software will take too long.

Photo by Sergei Starostin: https://www.pexels.com/photo/green-and-black-computer-ram-stick-6636474/