-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adds initial draft of memory safety continuum #20
Changes from 3 commits
58fecdf
403991c
1576920
85bc433
a985d78
368f817
4f1a5ed
1e72beb
935898d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# Memory Safety Continuum | ||
|
||
At this SIG's January 25, 2024 meeting, we discussed the idea of a continuum when it comes to software memory safety. | ||
|
||
When discussing memory safety, it's easy to fall into the idea of a memory safety binary - either your software is "memory safe" or it is not. When considering reality - especially with re: to so much existing software (legacy or not) - it is more nuanced. | ||
|
||
This DRAFT document lays out the idea of the "Memory Safety Continuum". Eventually, this idea may be used as a foundation for other content which will help developers and organizations identify where they are on the continuum and how to get to where they want to be. | ||
|
||
## What is Memory Safety? | ||
|
||
Rather than using terms like "Memory Safe Language" and "Memory Unsafe Language", this SIG prefers the terms "memory safe by default" and "non-memory safe by default". Please see our [useful definitions](definitions.md) file for more information about memory safety and undefined behavior. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I like this! |
||
|
||
## The Continuum | ||
|
||
This is a very rough idea of what the continuum might look like - from "least safety" to "most safety" | ||
|
||
* Using a non-memory safe by default language (such as C or C++) without any developer best practices or automated tooling to check for memory safety | ||
* Using a non-memory safe by default language with developer best practices, but no automated tooling to check for memory safety | ||
* Using a non-memory safe by default language with developer best practices and automated tooling to check for memory safety | ||
* Using a memory safe by default language (such as Rust, Go, Python, Java, JavaScript, C#) without developer best practices and automated tooling | ||
* Using a memory safe by default language with developer best practices | ||
* Using a memory safe by default language with developer best practices and automated tooling | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i wonder if we should consider cases such as:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What about when you disable the memory safeties (in languages like Rust, Ada, and C#, where that's possible)? If there's a small amount (say, a few dozen lines or under 0.1%) that's probably fine. If you have a large package that disables safeties, it's really just a memory-unsafe language & should be treated that way. If you formally prove a program has no memory safety issues (as opposed to using a typical SAST) tool, then I'd say you are using a memory-safe language (even if it's C). Of course, the number of programs (like seL4) where that true is small, but it is a possibility. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good points - I've added content about them in the FAQs. |
||
|
||
### Using a non-memory safe by default language without an developer best practies or automated tooling | ||
nellshamrell marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
Using raw C or C++ (or old versions of C and C++ language and compiler) | ||
|
||
### Using a non-memory safe by default language with developer best practices, but no automated tooling | ||
|
||
Examples: | ||
|
||
* [Using attributes such as `cleanup` and classes when writing C](https://lwn.net/Articles/934679/) (and depending on developers to manually check this) | ||
* Following the [C++ Core Guidelines](https://github.com/isocpp/CppCoreGuidelines) when writing C++ | ||
* Using the [C++ Compiler Hardening Guide](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Compiler-Hardening-Guides) when compiling C++ code | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How about? : Isolating code that processes un-trusted data from code that performs direct memory management operations or uses raw pointers (See: https://langsec.org) |
||
### Using a non-memory safe by default language with developer best practices and automated tooling | ||
|
||
TO DO | ||
|
||
### Using a memory safe by default language without developer best practices or automated tooling | ||
|
||
Examples: | ||
|
||
* Using unsafe blocks in Rust [without assessing the entire module in which the unsafe code appears](https://github.com/ossf/Memory-Safety/issues/15#issuecomment-1847939439) | ||
* Using the [no_mangle](https://github.com/rust-lang/rust/issues/28179) attribute in Rust | ||
|
||
### Using a memory safe by default language with developer best practices, but no automated tooling | ||
|
||
Examples: | ||
|
||
* Following the [Rustnomicon](https://doc.rust-lang.org/nomicon/intro.html) careful practices when using unsafe blocks in Rust | ||
* Following best practices (LINK NEEDED) when using the Go [unsafe](https://pkg.go.dev/unsafe#pkg-overview) package | ||
* Following [Javascript Memory Management](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Memory_management) practices | ||
|
||
### Using a memory safe by default language with developer best practices and automated tooling | ||
|
||
Examples: | ||
|
||
* Using the [Go Data Race Detector](https://go.dev/doc/articles/race_detector) | ||
* Using other tools such as [govulncheck, fuzzing, and vet](https://go.dev/doc/security/best-practices) when writing Go code | ||
|
||
## FAQ | ||
|
||
### Why do you rank using automated tooling higher than just using developer best practices? | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is great! |
||
|
||
The amount software that has already been produced is staggering - and it is only growing every day. Expecting every developer to manually check their code (and the code their code interacts with) is no longer practical or possible. Automated tooling must be used to catch (at the least) known, common vulnerabilities that a developer may unintentionally introduce in their code. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if this should merge into the definitions.md, since it extends upon the notions in that and that way we would have a sharable, unified artifact that defines memory-safety?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly - though I'd like to keep it in a separate doc until we further discuss and refine the idea of the continuum.