“`html
Identification numbers compromised. Public transit suspended. Healthcare systems rendered inoperative until ransom demands are settled. These are some of the detrimental repercussions of insecure memory in computing environments.
In the last ten years, public consciousness regarding these cyber assaults has escalated, as their repercussions have adversely affected individuals, businesses, and governments. Presently, this awareness aligns with technologies that have matured sufficiently to eradicate vulnerabilities in memory safety.
“We are at a pivotal moment — now is the ideal opportunity to transition to memory-safe systems,” states Hamed Okhravi, a cybersecurity authority in MIT Lincoln Laboratory’s Secure Resilient Systems and Technology Group.
In an op-ed published earlier this year in Communications of the ACM, Okhravi, alongside 20 other prominent figures in the realm of computer security, outlined a strategy for achieving comprehensive memory safety. They advocate for a standardized framework as a critical next move for the widespread adoption of memory-safety technologies across all types of computing systems, from military aircraft to mobile devices.
Memory-safety issues arise when a program executes unintended or incorrect actions within memory. Such actions are widespread, comprising an estimated 70 percent of software weaknesses. If intruders gain entry to memory, they may steal confidential data, modify program operations, or even seize control of the computing system.
These weaknesses are largely due to prevalent programming languages, such as C or C++, which are fundamentally insecure regarding memory. A single mistake by a software developer, perhaps a solitary line in a system’s multimillion lines of code, could suffice for an attacker to exploit. In recent times, new memory-safe languages, like Rust, have been established. However, rewriting legacy systems in these new, memory-secure languages can be expensive and complex.
Okhravi emphasizes the national security ramifications of memory-safety vulnerabilities. For the U.S. Department of Defense (DoD), whose systems involve billions of lines of legacy C or C++ code, memory safety has been a recognized concern for some time. The National Security Agency (NSA) and the federal government have recently called on technology developers to eradicate memory-safety vulnerabilities from their offerings. Security issues extend beyond military applications to general consumer products.
“Cell phones, for instance, may not be immediately significant for defense or combat, but if we have 200 million vulnerable cell phones in the country, that presents a serious concern for national security,” Okhravi asserts.
Memory-safe technology
Recently, numerous technologies have surfaced to address memory vulnerabilities in legacy systems. As the guest editor for a special issue of IEEE Security and Privacy, Okhravi commissioned articles from leading contributors in the field to showcase these technologies and the ways in which they can complement each other.
Some of these memory-safety solutions were developed at Lincoln Laboratory, with funding from DoD entities. These technologies include TRACER and TASR, which are software applications designed for Windows and Linux systems, respectively, that rearrange the location of code in memory each time a program accesses it, rendering it extremely challenging for attackers to identify exploits. These moving-target strategies have since been licensed by cybersecurity and cloud service providers.
“These technologies offer quick solutions, enabling us to make a substantial immediate impact without requiring a complete system overhaul. However, they are merely a partial remedy, serving to secure legacy systems while we transition to safer languages,” Okhravi explains.
Pioneering efforts are in progress to facilitate that transition. For instance, the TRACTOR program at the U.S. Defense Advanced Research Projects Agency is developing AI tools to automatically convert legacy C code to Rust. Researchers at Lincoln Laboratory will assess the translator for use in DoD systems.
In their op-ed, Okhravi and his coauthors acknowledged that the timeline for fully adopting memory-safe systems is protracted — likely spanning decades. It will necessitate the implementation of a combination of new hardware, software, and methodologies, each with its distinct adoption paths, costs, and disruptions. Organizations should prioritize mission-critical systems initially.
“For instance, the most vital components in a fighter jet, such as the flight-control algorithms or the munition-handling protocols, would be rendered memory-safe, let’s say, within five years,” Okhravi states. Subsystems less crucial to critical operations would have a longer timeline.
Utilization of memory-safe programming languages at Lincoln Laboratory
As Lincoln Laboratory maintains its leadership in enhancing memory-safety technologies, the Secure Resilient Systems and Technology Group has made it a priority to adopt memory-safe programming languages. “We’ve been investing in the group-wide adoption of Rust over the past six years as part of our larger strategy to prototype cyber-hardened mission systems and high-assurance cryptographic implementations for the DoD and intelligence sector,” remarks Roger Khazan, the group leader. “Memory safety is essential to ensuring the reliability of these systems.”
Rust’s robust assurances concerning memory safety, combined with its speed and ability to identify bugs at an early stage of development, make it particularly suitable for constructing secure and dependable systems. The laboratory has been employing Rust to prototype and transition secure components for embedded, distributed, and cryptographic systems where resilience, performance, and accuracy are mission-critical.
These initiatives support both the immediate needs of the U.S. government and a longer-term evolution of the national security software landscape. “They represent Lincoln Laboratory’s broader mission of promoting technology in service to national security, rooted in technical excellence, innovation, and trust,” Khazan adds.
A technology-agnostic framework
As new computing systems are developed, developers require a framework of memory-safety standards to guide them. Presently, efforts to mandate memory safety in new systems are hindered by the absence of a clear set of definitions and practices.
Okhravi stresses that this standardized framework ought to be technology-neutral and provide explicit timelines with sets of requirements tailored for various system types.
“In the procurement process for the DoD, and even within the commercial arena, when we demand memory safety, it should not be linked to a specific technology. It ought to be sufficiently generic so that different system types can apply various technologies to achieve it,” he articulates.
Addressing this deficiency not only necessitates building industrial consensus on technical approaches but also requires collaboration with government and academia to bring this initiative to fruition.
The need for cooperation was a catalyst for the op-ed, and Okhravi indicates that the consortium of experts will advocate for standardization from their positions across industry, government, and academia. Contributors to the paper represent a diverse range of institutes, including the University of Cambridge and SRI International, as well as Microsoft and Google. Together, they are generating momentum to finally eliminate memory vulnerabilities and the associated costly repercussions.
“We are witnessing a shift in the cost-risk trade-off perspective, partly due to the maturation of technology and partly because of such significant incidents,” Okhravi remarks. “We constantly hear that a specific breach resulted in billions of dollars in damages. Meanwhile, securing the system might have only cost 10 million dollars. Wouldn’t we have been better off pursuing that effort?”
“`