Memory Safety revisited

René Pfeiffer/ March 4, 2024/ Conference

Block diagram of a processor. Source: https://stackoverflow.com/questions/38677005/direct-memory-accessMemory safety is the most important problem in information security. This is something the White House and the NSA want you to believe. The recommendation is to use a different programming language, and all our problems will magically disappear. The proposal sounds a lot like the typical magical bullet solution, just like one of the many marketing promises of vendors since the 1990s.

Attacks on memory buffers is the least of your current problems. Attackers use „living off the land“ attacks which use memory-safe scripting languages. If you look at the CWE statistics, then there are lots and lots of input validation errors that will bring down the security of many applications. Most web applications use questionable frameworks that are neither mature nor well-tested. Access to storage systems (SQL or NoSQL) still feature injections attacks. The same goes for cross-site scripting (XSS). A lot of desktop applications are just web pages run by local servers and clients. Modern attacks are memory safe and just turn XSS into remote code execution (RCE).

We recommend the article A reactionary take on memory safety for a different perspective on the matter. Our experience in teaching secure coding techniques also shows that the choice of the programming language is the least of your problems. Major blunders are possible to implement across platforms – especially mathematical errors and missing input validation. Don’t let yourself blinded by white papers.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.