CISA et al: "Exploring Memory Safety in Critical Open Source Projects"

Mabry Tyson Tyson at AI.SRI.COM
Thu Jun 27 02:08:25 AEST 2024


Since openssh-portable is mentioned in this report, I thought I'd make 
this list aware of it.
(I am not associated with the report or the agencies that published it.  
I just try to keep aware of what CISA reports.)

Cybersecurity and Infrastructure Agency (CISA) and other agencies have 
released a report that catalogues the amount of code in a number of 
large open source projects that is written in memory-unsafe languages.
Exploring Memory Safety in Critical Open Source Projects 
<https://www.cisa.gov/sites/default/files/2024-06/joint-guidance-exploring-memory-safety-in-critical-open-source-projects-508c.pdf>

My take is the theme of the report is that moving toward more code in 
memory-safe languages reduces the chance of vulnerabilities due to 
memory-unsafe issues.

The report acknowledges difficulties in getting the numbers right, and 
of course makes no judgement as to the quality of any code.
The report also acknowledges that there are good reasons for some usage 
of memory-unsafe code.

openssh-portable is listed as having 142 KLoC of which 120 KLoC are 
written in memory-unsafe languages, for a ratio of 85%.,

Please recognize this is a statistic, not a judgement.


More information about the openssh-unix-dev mailing list