The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published a report urging software developers to adopt memory-safe programming languages (MSLs). This guidance, released in collaboration, highlights the critical importance of memory safety in mitigating national security risks and improving overall software security.
The report reiterates the rationale for greater memory safety and underscores the government’s ongoing calls for the adoption of MSLs. While acknowledging the challenges of transitioning to MSLs, especially for large organizations with extensive legacy codebases, the report emphasizes the long-term benefits. These include increased software reliability, a reduced attack surface, and lower long-term maintenance costs. The report cites the example of Google, which managed to reduce memory safety vulnerabilities in Android to 24 percent of the total by 2024. This serves as a practical case study for the potential impact of MSL adoption within enterprises.
Additionally, the report discusses various advantages of MSL adoption and highlights the importance of promoting memory safety within the tech industry. It urges the industry to support the transition by advertising jobs that require MSL expertise. The report also references several government initiatives aimed at accelerating the move to MSLs, such as the Defense Advanced Research Projects Agency (DARPA) TRACTOR program, which aims to develop an automated method to translate C code to Rust. A recent effort, the Omniglot project, proposed by researchers at Princeton, UC Berkeley, and UC San Diego, provides a safe way for unsafe libraries to communicate with Rust code through a Foreign Function Interface.