Programming languages like C e C++, whose introduction dates back to the 70s and 80s, are still widely used because they are powerful and flexible. Today more than ever, however, programs written in C/C++ are often vulnerable due to problems in the memory management.
Memory security in applications (we talked about it in depth) refers to a series of risks and vulnerabilities that can allow an attacker to interfere with the correct functioning of an application, including executing malicious code and stealing confidential information.
Because the use of C and C++ can lead to the creation of insecure applications
C and C++ provide direct control over memory, allowing developers to manually allocate and deallocate data. In the article mentioned above, we have seen all the most dangerous situations.
In any case, any errors buffer overflow they can be exploited by attackers to overwrite critical portions of memory; the manipulation of pointers for direct access to memory it can be exploited to access unallocated areas of memory without authorization or interfere with the contents of other areas.
While many modern languages provide automatic memory checks, such as the garbage collectionC and C++ do not provide anything similar leaving the responsibility of managing memory to the user.
Not to mention that C and C++ provide few built-in tools for security: the code verification It mainly depends on the efforts of the developers and the use of appropriate analysis tools.
Just think that in 2019 Microsoft he said that the 70% of vulnerabilities software derive precisely from problems related to memory management. In 2020, Google reached the same conclusions by revealing that 70% of the security issues in Chromium (and consequently all web browsers derived from it) have to do with memory.
USA: put aside the use of C and C++ languages. Which options are preferable?
The US Government, through the office responsible for national cybersecurity (ONCD, Office of the National Cyber Director), has published an in-depth document calling for the attention of software developers. The report suggests orienting yourself on the use of programming languages that promote safe memory management.
The responsibility of IT security it must not only be in the hands of small businesses and individual users. According to ONCD, however, the responsibility falls precisely on the largest organizations, on technology companies and, ultimately, on the Government.
Indicating languages such as C and C++ as intrinsically “unsafe”, ONCD asked companies and software engineers to adopt the best possible practices in order to reduce the attack surface possibly exposed to attackers.
Create code memory-safe it is possible by orienting yourself on the right languages: Rust, Go, C#, Java, Swift, JavaScript e Ruby are the main examples. Not for nothing, in first place is Rust, a language that Linux developers, Microsoft software engineers, browser programmers such as Chromium/Chrome are increasingly using to rewrite the kernel of operating systems and improve the security of critical parts of applications used by millions of users.
We have seen in other articles what the use of Rust in Chromium means, why the adoption of Rust in the Windows 11 kernel is good news and where the development of the Linux kernel is going.
Opening image credit: iStock.com – Manfort Surroundings