memory corruption as attack vector

Liste des GroupesRevenir à c misc 
Sujet : memory corruption as attack vector
De : fungus (at) *nospam* amongus.com.invalid (Retrograde)
Groupes : comp.misc
Date : 17. Mar 2024, 10:00:48
Autres entêtes
Message-ID : <65f6b140$0$19592$882e4bbb@reader.netnews.com>
From the «alzheimers as a service» department:
Feed: OSnews
Title: Secure by design: Google’s perspective on memory safety
Author: Thom Holwerda
Date: Fri, 15 Mar 2024 10:45:06 -0400
Link: https://www.osnews.com/story/138837/secure-by-design-googles-perspective-on-memory-safety/


Google’s Project Zero reports[1] that memory safety
vulnerabilities[2]—security defects caused by subtle coding errors related to
how a program accesses memory—have been “the standard for attacking software
for the last few decades and it’s still how attackers are having success”.
Their analysis shows two thirds of 0-day exploits detected in the wild used
memory corruption vulnerabilities. Despite substantial investments to improve
memory-unsafe languages, those vulnerabilities continue to top the most
commonly exploited vulnerability classes[3].

In this post, we share our perspective on memory safety in a comprehensive
whitepaper[4]. This paper delves into the data, challenges of tackling memory
unsafety, and discusses possible approaches for achieving memory safety and
their tradeoffs. We’ll also highlight our commitments towards implementing
several of the solutions outlined in the whitepaper, most recently with a
$1,000,000 grant to the Rust Foundation[5], thereby advancing the development
of a robust memory-safe ecosystem.
↫ Alex Rebert and Christoph Kern at Google’s blog[6]

Even as someone who isn’t a programmer, it’s impossible to escape the rising
tide of memory-safe languages, with Rust leading the charge. If this makes the
software we all use objectively better, I’ll take the programmers complaining
they have to learn something new.

Links:
[1]: https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html (link)
[2]: https://www.memorysafety.org/docs/memory-safety/ (link)
[3]: https://cwe.mitre.org/top25/archive/2023/2023_kev_list.html (link)
[4]: https://research.google/pubs/pub53121/ (link)
[5]: https://security.googleblog.com/2024/02/improving-interoperability-between-rust-and-c.html (link)
[6]: https://security.googleblog.com/2024/03/secure-by-design-googles-perspective-on.html (link)


Date Sujet#  Auteur
17 Mar 24 o memory corruption as attack vector1Retrograde

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal