CISA et al: "Exploring Memory Safety in Critical Open Source Projects"
Mabry Tyson
Tyson at AI.SRI.COM
Thu Jun 27 02:08:25 AEST 2024
Since openssh-portable is mentioned in this report, I thought I'd make
this list aware of it.
(I am not associated with the report or the agencies that published it.
I just try to keep aware of what CISA reports.)
Cybersecurity and Infrastructure Agency (CISA) and other agencies have
released a report that catalogues the amount of code in a number of
large open source projects that is written in memory-unsafe languages.
Exploring Memory Safety in Critical Open Source Projects
<https://www.cisa.gov/sites/default/files/2024-06/joint-guidance-exploring-memory-safety-in-critical-open-source-projects-508c.pdf>
My take is the theme of the report is that moving toward more code in
memory-safe languages reduces the chance of vulnerabilities due to
memory-unsafe issues.
The report acknowledges difficulties in getting the numbers right, and
of course makes no judgement as to the quality of any code.
The report also acknowledges that there are good reasons for some usage
of memory-unsafe code.
openssh-portable is listed as having 142 KLoC of which 120 KLoC are
written in memory-unsafe languages, for a ratio of 85%.,
Please recognize this is a statistic, not a judgement.
More information about the openssh-unix-dev
mailing list