Source URL: https://www.theregister.com/2024/10/16/google_legacy_code/
Source: The Register
Title: Google’s memory safety plan includes rehab for unsafe languages
Feedly Summary: Large C and C++ codebases will be around for the ‘foreseeable future’
Google has revealed that its approach to making programming code more memory safe involves both the adoption of memory safe languages and making unsafe languages more secure – to the extent that’s possible.…
AI Summary and Description: Yes
Summary: Google is actively pursuing a dual strategy to address memory safety in programming through the adoption of memory-safe languages like Rust and improving the security of legacy C and C++ code. The company highlights the prevalence of memory safety vulnerabilities, particularly in legacy code, which poses significant security risks, and outlines various initiatives to mitigate these issues.
Detailed Description:
– **Google’s Approach**: Google is focusing on improving memory safety by integrating memory-safe programming languages and securing existing legacy languages. This is a significant move in the context of information security, especially for organizations with large codebases relying on C and C++.
– **Memory Safety Advantages**: The text emphasizes the security benefits of using memory-safe languages such as Rust, Java, Kotlin, Go, and Python, which provide guarantees against common memory related issues that occur in languages like C and C++.
– **Legacy Code Challenges**:
– Google acknowledges that a substantial amount of legacy C and C++ code will remain operational for an extended period and cannot be easily replaced.
– The company aims to harden existing code while focusing on new development with memory-safe languages.
– **Statistics and Security Risks**:
– Notably, 75% of CVEs exploited in zero-day attacks are attributed to memory safety vulnerabilities, highlighting a critical security concern that professionals in the field must address.
– The text mentions that approximately 70% of severe vulnerabilities in large systems can be traced back to memory-related flaws.
– **Industry Initiatives**:
– An international campaign, supported by cybersecurity agencies, encourages the use of memory-safe languages and conversion of unsafe code.
– Collaborations with organizations such as the Open Source Security Foundation and proposals for safe extensions in C++ aim to improve security practices in programming.
– **Google’s Technical Efforts**:
– Introduction of mechanisms such as MiraclePtr to address memory bugs.
– Use of isolation techniques like sandboxing is highlighted, and ongoing research into advanced architectural features such as Capability Hardware Enhanced RISC Instructions (CHERI) indicates a forward-looking approach to memory safety.
– **Future Outlook**: While the adoption of memory-safe languages is favored, the existence of C and C++ code remains a reality, necessitating ongoing efforts to secure legacy systems.
This dual strategy not only reflects Google’s commitment to improving programming security but also addresses a critical gap in safeguarding sustainable coding practices in a complex development ecosystem. For security and compliance professionals, understanding these trends is vital for risk management and developing effective security frameworks around existing and emerging technologies.