Full Report
The blog post revolves around Google Androids security program but the results apply to other places. Android has produced more and more code in memory-safe languages like Rust instead of unsafe ones like C. The analysis of this post is around the number of memory corruption vulnerabilities over the years. Over the course of 6 years, most new development has occurred in memory-safe languages. Even though the amount of code is slowly growing in the memory unsafe languages and the original unsafe code still exists, the amount of memory corruption bugs has dropped significantly. Why though? Doesn't all memory-unsafe code need to be rewritten? According to this article, the answer is no. Vulnerabilities are much more likely to be discovered in new code, as found by a Usenix paper from years ago. According to the details from Android and Chromium bugs, 5-year-old code is 3.4 to 7.4 times less likely to have a bug than new code. So, if the new Android code is 6 years old, is much less likely to have bugs in it. As a result, we don't need to rewrite all memory unsafe code, saving lots of money and bugs along the way. In terms of designing software, killing bug classes from the beginning is the way to go. If you use a memory safe language, you kill a bug class entirely, which is amazing. This is opposed to the original and expensive style of reactive patching, exploit mitigations like ASLR, NX, etc. and proactive vulnerability discovery. Overall, great article on where to hunt for bugs at!
Analysis Summary
# Best Practices: Eliminating Memory Safety Vulnerabilities
## Overview
These practices address the single largest contributor to security vulnerabilities in systems software: memory corruption. By shifting defense-in-depth from reactive patching to "safe-by-design" principles, organizations can reduce the density of critical bugs. The core insight is that **vulnerabilities are exponentially more likely to be found in new code**, meaning the most cost-effective way to secure a system is to ensure all new development occurs in memory-safe languages rather than rewriting legacy code.
## Key Recommendations
### Immediate Actions
1. **Mandate Memory-Safe Languages for New Features:** Require that any new modules or significant feature updates be written in memory-safe languages (e.g., Rust, Go, Java) rather than C or C++.
2. **Halt Large-Scale Refactoring of Stable Legacy Code:** Realize that "stable" code (5+ years old) is statistically 3.4x to 7.4x less likely to contain bugs than new code. Do not prioritize rewriting it unless the logic itself is changing.
3. **Inventory Your Tech Stack:** Identify which components are written in memory-unsafe languages (C/C++) and categorize them by age and exposure to untrusted data.
### Short-term Improvements (1-3 months)
1. **Establish Interoperability Layers:** Implement "Foreign Function Interfaces" (FFI) to allow new memory-safe code to communicate securely with existing legacy C/C++ libraries.
2. **Training & Upskilling:** Provide developers with training in memory-safe systems programming (e.g., Rust) to prevent friction during the transition.
3. **Update Security Tooling:** Integrate static and dynamic analysis tools that specifically flag unsafe memory patterns in the remaining C/C++ code.
### Long-term Strategy (3+ months)
1. **Deplete the "Unsafe" Code Ratio:** Over time, the percentage of memory-safe code in your repository should increase through attrition. As old C code is retired or replaced by new safe features, the overall risk surface shrinks.
2. **Automate Exploit Mitigations:** While transitioning, ensure all remaining C-code builds utilize modern mitigations like ASLR, NX, and Control Flow Integrity (CFI).
3. **Policy Formalization:** Standardize a "Safe-by-Design" framework where memory safety is a non-negotiable requirement for all new vendor software and internal projects.
## Implementation Guidance
### For Small Organizations
- Focus strictly on using high-level memory-safe languages (Python, Go, Java) for all applications.
- Avoid low-level C programming unless it is strictly necessary for hardware interaction.
### For Medium Organizations
- Implement a "Rust-first" policy for any new systems-level development or performance-critical components.
- Use memory-safe wrappers when interacting with legacy open-source C libraries.
### For Large Enterprises
- Adopt the "Safe Handover" approach: Instead of a total rewrite, piece-by-piece replace the most frequently modified sections of legacy code with memory-safe equivalents.
- Monitor the age of the codebase—prioritize security audits for the *newest* code rather than the oldest.
## Configuration Examples
While the blog focuses on language selection rather than specific config files, the following implementation logic applies:
* **Compiler Flags (Clang/GCC for remaining C++):**
bash
# Enable stack smashing protection and hardening
-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now
* **Rust (Cargo.toml) for Memory Safety:**
toml
[dependencies]
# Use 'safe' wrappers for C libraries
# Avoid the 'unsafe' keyword in new Rust modules
## Compliance Alignment
- **NIST SP 800-218 (SSDF):** Aligns with the "Produce Secure Software" category by utilizing safe-by-design programming languages.
- **ISO/IEC 27001:** Supports A.14 (System acquisition, development, and maintenance).
- **CISA "Secure by Design" Initiative:** Directly follows federal guidance on eliminating memory-unsafe languages from the software supply chain.
## Common Pitfalls to Avoid
- **The "Rewrite Everything" Trap:** Avoid spending massive budgets rewriting stable, five-year-old C++ code. The risk is higher that you will introduce new bugs in the new code than fix existing ones.
- **Mixing Unsafe Logic into Safe Languages:** Using the `unsafe` keyword in Rust or bypassing bounds checks in other languages defeats the purpose of the transition.
- **Ignoring New Vulnerabilities:** Memory safety does not prevent logic flaws. Do not neglect traditional application security testing (SAST/DAST).
## Resources
- **Rust Programming Language:** [rust-lang[.]org]
- **Google Online Security Blog:** [security[.]googleblog[.]com]
- **CISA/NSA Memory Safety Guidance:** [cisa[.]gov/resources-tools/resources/case-memory-safety]
- **Usenix Research on Bug Density:** Reference for code age vs. bug probability.