Google is tackling one of the most problematic security issues in open source: memory-safety vulnerabilities. According to a recent report from Microsoft’s Security Response Center, a majority of vulnerabilities are due to memory-safety issues, and Google believes almost half of these issues could be prevented with a memory-safety language.
“Software written in unsafe languages often contains hard-to-catch bugs that can result in severe security vulnerabilities, and we take these issues seriously at Google,” Dan Lorenc from Google’s infrastructure security team wrote in a post.
To address these issues, Google is expanding its partnership with the Internet Security Research Group (ISRG), and will work to reimplement critical open-source software in memory-safe languages.
RELATED CONTENT: What’s all the fuss about Rust
“It’s time to start taking advantage of memory-safe programming languages that prevent these errors from being introduced. At Google, we understand the value of the open source community and in giving back to support a strong ecosystem,” Lorenc wrote.
Some of Google’s already implemented services include:
- Its free OSS-Fuzz solution that has found more than 5,500 vulnerabilities caused by memory safety errors across 375 open-source projects
- A rewards program that provides financial incentives for adopting fuzzing
- Syzkaller for detecting bugs in operating systems kernels
- gVisor, a sandbox designed to reduce the impact of bugs
Google will also be working on ISRG’s Rust-based HTTP and TLS backends as well as the new TLS library for Apache httpd. “These codebases sit at the gateway to the internet and their security is critical in the protection of data for millions of users worldwide,” wrote Lorenc.
He added: “The ISRG’s approach of working directly with maintainers to support rewriting tools and libraries incrementally falls directly in line with our perspective here at Google.”