Application developers can reduce the odds of their code including memory vulnerabilities by changing to a modern language, says the U.S. National Security Agency (NSA).<\/p>\n
In an advisory<\/a>, the agency urges developers to think about dropping C and C++ and shifting to languages such as C#, Go, Java, Ruby, Rust, and Swift.<\/p>\n In these languages, memory is managed automatically, the NSA says. They do not rely on the programmer adding code to implement memory protection.<\/p>\n \u201cMemory issues in software comprise a large portion of the exploitable vulnerabilities in Commonly used languages, such as C and C++, provide a lot of freedom and flexibility \u201cMemory-safe languages provide differing degrees of memory usage protections,\u201d the advisory cautions, \u201cso available code hardening defenses, such as compiler options, tool analysis, and operating system configurations, should be used for their protections as well.\u201d\u00a0 But, it adds, \u201cby using memory-safe languages and available code hardening defenses, many memory vulnerabilities can be prevented, mitigated, or made very difficult for cyber actors to exploit.\u201d<\/p>\n The advisory lists several common memory issues. One is called a \u201cbuffer overflow,\u201d where data is accessed outside the bounds of an array. Other common issues relate to memory allocation. Languages can allocate new memory locations as a program is executing and then deallocate the memory, also called releasing or freeing the memory, later when the By exploiting memory issues, malicious actors may be able to\u00a0enter unusual inputs into It isn\u2019t trivial to shift a mature software development infrastructure from one computer But it believes the shift is necessary.<\/p>\n The post Switch to memory safe languages, NSA urges developers<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Application developers can reduce the odds of their code including memory vulnerabilities by changing to a modern language, says the U.S. National Security Agency (NSA). In an advisory, the agency urges developers to think about dropping C and C++ and shifting to languages such as C#, Go, Java, Ruby, Rust, and Swift. In these languages,<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[349,16,28],"tags":[391,719,393,275],"class_list":["post-31490","post","type-post","status-publish","format-standard","hentry","category-development","category-security","category-software","tag-di","tag-programming-languages","tag-security-strategies","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=31490"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31490\/revisions"}],"predecessor-version":[{"id":31592,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31490\/revisions\/31592"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=31490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=31490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=31490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nexistence,\u201d the agency notes.\u00a0 For example, it says, a Microsoft study found that, from 2006 to 2018, 70 percent of their vulnerabilities were due to memory safety issues. Google also
\nfound a similar percentage of memory safety vulnerabilities over several years in its
\nChrome browser.<\/p>\n
\nin memory management, the advisory admits. But they also rely heavily on the programmer to perform the needed checks on memory references. \u201cSimple mistakes can lead to exploitable memory-based vulnerabilities,\u201d it says. And while software analysis tools can detect many instances of memory management issues, and operating environment options can also provide some protection, the inherent protections offered by memory-safe software languages can prevent or mitigate most memory management issues.<\/p>\n
\nmemory is no longer needed. But if this is not done carefully by the developer, new
\nmemory may be allocated again and again as the program executes. Consequently,
\nmemory is not always freed when it is no longer needed, which could cause the program to eventually run out of available memory.<\/p>\n
\nthe program, causing memory to be accessed, written, allocated, or deallocated in
\nunexpected ways. In some cases, the advisory says, a malicious actor can exploit these memory management mistakes to access sensitive information, execute unauthorized code, or cause other negative impacts.<\/p>\n
\nlanguage to another, the NSA admits. Skilled programmers need to be trained in a new language and there is an efficiency hit when using a new language. Programmers must endure a learning curve and work their way through any \u201cnewbie\u201d mistakes. While another
\napproach is to hire programmers skilled in a memory-safe language, they too will have
\ntheir own learning curve for understanding the existing code base and the domain in
\nwhich the software will function.<\/p>\n