In a recently published blog post, Google explained how it makes its software less susceptible to flaws and vulnerabilities, and thus less interesting to cybercriminals. Its approach includes two key pillars: hardening super-popular, yet unsafe, programming languages, while slowly (but surely) transitioning towards up-and-coming, memory-safe languages.
Earlier this week, Alex Rebert of Security Foundations, and Core Developers Chandler Carruth, Jen Engel, Andy Qin, wrote an article saying that about 70% of severe vulnerabilities in memory-unsafe codebases are due to memory safety bugs.
These vulnerabilities are then found, and exploited, by malicious actors who can do real-world harm. Last year, the number of vulnerabilities exploited in the wild almost hit an all-time high, and of those figures, 75% CVEs used in zero-day exploits were memory safety vulnerabilities.
C and C++
Understanding these problems also means doing something about them, and Google is apparently now going for this two-pronged approach.
“Our long-term objective is to progressively and consistently integrate memory-safe languages into Google’s codebases while phasing out memory-unsafe code in new development. Given the amount of C++ code we use, we anticipate a residual amount of mature and stable memory-unsafe code will remain for the foreseeable future.”
Basically, Google is saying that it is impossible to flat-out replace C and C++, despite the general consensus being that they are memory-unsafe languages. Therefore, before that migration is complete, the company will work on risk reduction and containment, which includes C++ hardening (retrofitting safety at scale in memory-unsafe code), security boundaries (strengthening critical software infrastructure components through expanded use of isolation techniques), and bug detection (investing further in bug detection tooling and innovative research).
Lastly, Google said it is “actively working” with the semiconductor and research communities on emerging hardware-based approaches to improve memory safety.
“We believe it’s important to embrace the opportunity to achieve memory safety at scale, and that it will have a positive impact on the safety of the broader digital ecosystem,” Google concludes. “This path forward requires continuous investment and innovation to drive safety and velocity, and we remain committed to the broader community to walk this path together.”
More from TechRadar Pro
Google hails move to Rust for huge drop in memory vulnerabilitiesHere’s a list of the best firewalls todayThese are the best endpoint protection tools right now