In October 2022, Consumer Reports hosted an online convening to discuss ways to encourage widespread adoption of code written in memory-safe languages. The event gave participants the opportunity to share resources related to memory safety, discuss opportunities and barriers in the security ecosystem, and to brainstorm potential solutions to memory access vulnerabilities that exist in products across the marketplace.
Roughly 60 to 70 percent of browser and kernel vulnerabilities—and security bugs found in C/C++ code bases—are due to memory unsafety, many of which can be solved by using memory-safe languages. While developers using memory-unsafe languages can attempt to avoid all the pitfalls of these languages, this is a losing battle, as experience has shown that individual expertise is no match for a systemic problem. Even when organizations put significant effort and resources into detecting, fixing, and mitigating this class of bugs, memory unsafety continues to represent the majority of high-severity security vulnerabilities and stability issues. It is important to work not only on improving detection of memory bugs but to ramp up efforts to prevent them in the first place.
The report reviews the various challenges when creating an ecosystem that relies on memory-safe languages, along with providing a set of recommendations that can be adapted across the industry and government to limit the vulnerability issues.