What's better than patching every CVE? New technologies that eliminate an entire class of CVEs. Policymakers agree, and the FY'24 National Defense Authorization Act draft contains some text with massive implications for software development and procurement by the Department of Defense.
Memory-safety bugs continue to be the largest source of software vulnerabilities, and the U.S. Government is finally ready to use their purchasing power to help push the industry forward. According to Consumer Reports’ Future of Memory Safety report, “60 to 70 percent of browser and kernel vulnerabilities—and security bugs found in C/C++ code bases—are due to memory unsafety, many of which can be solved by using memory-safe languages.”
Memory-safe languages have been around for a long time. But up until recently, they weren’t performant or scalable enough for low-level programming at the kernel or firmware level. And so a whole class of developers continued to use memory unsafe languages.
“We now have the tools and skills necessary to eliminate memory safety bugs from software, it’s just a matter of committing to doing it. In our work to bring memory safety to TLS, NTP, the Linux kernel, and DNS among others, we’ve been pleasantly surprised at the speed of progress. Highlighting the need for better memory safety policy in the FY'24 NDAA is a big step forward, one that’s great for U.S. national security but will have ripple effects in other industries and across the globe,” commented Josh Aas, ISRG’s Executive Director.
We’ve also seen, over the past year, the public sector push for more accountability and policy that would further mandate the use of memory safe programming languages. We saw this with the inclusion of memory safe programming in the White House National Cyber Strategy, the Omnibus appropriations bill and this week in the Senate Armed Services FY’24 NDAA draft is a section on memory safe programming languages.
By encouraging the use of memory safe programming languages, lawmakers are taking an important step in ensuring the security and integrity of government systems and data. Identifying and addressing these vulnerabilities and moving towards memory safe programming languages will allow the federal government to eliminate an entire class of threats.
There's a massive amount of software that needs to be rewritten in the next few decades, and at Chainguard we’re proud to commit to distributing these new memory-safe alternatives wherever possible inside Wolfi, the first memory safe distribution. We're already shipping Rust implementations of the TLS and HTTP backends in curl, a memory-safe sudo implementation, and we have plans to ship rav1d, an AV1 decoder, as soon as it is ready.
For the programs we can't replace yet, we make use of the most advanced compiler techniques to reduce the impact of these memory safety bugs, going far beyond what most other distributions do.
Wolfi is optimized for cloud native, containerized environments like Kubernetes. It is our hope that developers will adopt Wolfi as the standard distro because it automatically increases the security of their software lifecycle.
There has been a significant push from industry to transition all coding to memory safe languages, like Rust. These efforts are backed by major organizations like Google and AWS. Continuing to use memory unsafe code is a national security concern and the inclusion of this effort in the NDAA is a necessary step. It is hard to imagine another security initiative with a better return on investment.