Article Details

The Feds want developers to stop coding 'unforgivable' buffer overflow vulns. FBI, CISA harrumph at Microsoft and VMware in call for coders to quit baking avoidable defects into stuff. US authorities have labelled buffer overflow vulnerabilities "unforgivable defects”, pointed to the presence of the holes in products from the likes of Microsoft and VMware, and urged all software developers to adopt secure-by-design practices to avoid creating more of them. Buffer overflow vulnerabilities occur when software unexpectedly writes more data to memory storage than has been allocated for that data. The extra information spills into other memory, altering it. Smart attackers can feed carefully crafted data into software with these bugs to hijack the flow of the program so that it can be made to do malicious things, or simply crash it. (You can learn how to exploit these sorts of holes, and then how not to make these bugs in the first place, by studying books and then playing through wargames.) In a Wednesday advisory the FBI and Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) labelled such memory safety flaws “unforgivable” because they’re avoidable if developers stop using outdated and unsafe coding practices and languages. The agencies highlighted a half-dozen buffer overflow vulnerabilities, some of which attackers exploited before manufacturers issued patches: "CISA and FBI maintain that the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities — especially the use of memory-unsafe programming languages — poses unacceptable risk to our national and economic security," the two government agencies wrote in their joint security alert. The Feds point out that developers can avoid creating such flaws using memory-safe coding languages such as Rust, Go, and Swift. Both agencies understand that rewriting entire codebases in memory-safe languages will require "significant effort," and as such recommend manufacturers implement a phased transition plan. While making this shift, "manufacturers should also consider leveraging technologies to limit memory safety vulnerabilities in their existing code bases," CISA and the FBI note. The Feds also fancy compiler flags that implement compile-time and runtime protections might help. Running unit tests with an instrumented toolchain – one with AddressSanitizer and MemorySanitizer enabled, basically – is also mentioned as a helpful tactic. Both tools can perform runtime checks for memory safety issues. The government also urged software developers to "conduct aggressive adversarial product testing, including static analysis, fuzzing, and manual reviews" throughout the entire development lifecycle. Undertaking root-cause analysis of past vulnerabilities was also recommended, so developers can learn from past mistakes.