Devs favor C/C++ in critical open-source software, raising security concerns

About half of 172 critical open-source projects are written using languages that do not automatically protect against memory errors, such as C/C++, cybersecurity authorities warn and encourage to choose safer alternatives, such as Rust.

Memory safety vulnerabilities are the most prevalent in software and generate substantial costs for both software manufacturers and users, as they need to be patched and mitigated.

The Cybersecurity and Infrastructure Security Agency (CISA), together with other international authorities, analyzed 172 critical open-source projects and found that 52% of them are written using C, C++, and other so-called “memory-unsafe” languages.

“55% of the total lines of code (LoC) for all projects were written in a memory-unsafe language,” the report reads.

The largest projects, such as Linux, Chromium, KVM (kernel-based virtual machine), or MySQL-server, are disproportionately written in memory-unsafe languages.

Among the top 10 critical projects, each one had at least 26% of memory unsafe code.

This is risky, as “roughly 60 to 70 percent of browser and kernel vulnerabilities – and security bugs found in C/C++ code bases ­– are due to memory unsafety.”

Attackers exploit memory vulnerabilities to take control of software and corresponding data and systems.

“Memory-unsafe languages require developers to properly manage memory use and allocation. Mistakes, which inevitably occur, can result in memory-safety vulnerabilities such as buffer overflows and use after free,” cyber authorities explain. “Memory-safe languages shift the abstraction layer and responsibility for writing memory-safe code from the developer to the compiler or interpreter, vastly reducing opportunities to introduce memory-safety vulnerabilities.”

Researchers observed that critical open-source projects often inherit “memory-unsafe” code through dependencies.

Where performance and resource constraints are critical factors, “memory-unsafe” programming languages have an advantage, and CISA expects continued use.

However, authorities think that transitioning these types of projects to memory-safe languages, such as Rust, would be “an effective security investment.”

The language itself does not mean that the code is automatically safe, as developers may disable memory-safety features.

CISA hopes the study will encourage software manufacturers to evaluate approaches to reducing this risk, make secure and informed choices, and reduce memory safety vulnerabilities and risks.