The FBI, NSA, CISA, and cyber agencies from Australia, Canada, New Zealand, and the United Kingdom have investigated 172 major open source projects and found that 52 percent contained code written using a ‘memory unsafe’ programming language. C and C++ are examples of such languages.
These languages can lead to memory safety vulnerabilities, which are widespread in today’s software. This includes issues like buffer overflows or use-after-free vulnerabilities, which, in the worst case, could allow an attacker to execute arbitrary code on systems.
Earlier this year, the White House called on programmers and software suppliers to use ‘memory-safe’ programming languages. The aforementioned agencies conducted this study (pdf) to assess the extent of memory unsafety in open source code. Their findings reveal that 55 percent of all lines of code across all projects are written in a memory-unsafe programming language.
The study indicates that the largest projects, such as Chromium and the Linux kernel, are disproportionately written in memory-unsafe languages.
Of the ten largest projects analyzed by total lines of code, each has a proportion of memory unsafe code above 26%. The median proportion using memory-unsafe languages across these ten projects is 62.5%, with four exceeding 94%.
Even projects written in a memory-safe language appear vulnerable due to dependencies. The agencies performed a dependency analysis on three projects written in memory-safe languages, such as Rust, and found that each one depended on components written in memory-unsafe languages.
“We determine that most critical open source projects analyzed, even those written in memory-safe languages, potentially contain memory safety vulnerabilities. This can be caused by direct use of memory-unsafe languages or external dependency on projects that use memory-unsafe languages,” the agencies stated in their report.
The agencies emphasize the importance of understanding the extent of memory-unsafety risks in open source software and welcome additional research.
For example, while transitioning to memory-safe languages like Rust can significantly reduce memory safety vulnerabilities, the report acknowledges the practical challenges of rewriting existing large codebases.
