Message-ID:

I find you lack of faith in the forth dithturbing. -- Darse ("Darth") Vader

computers / comp.misc / memory corruption as attack vector

memory corruption as attack vector

<65f6b140$0$19592$882e4bbb@reader.netnews.com>

https://www.novabbs.com/computers/article-flat.php?id=3531&group=comp.misc#3531

Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!feeder.usenetexpress.com!tr1.iad1.usenetexpress.com!198.186.191.153.MISMATCH!news-out.netnews.com!s1-4.netnews.com!eu1.netnews.com!not-for-mail
X-Trace: DXC=ekHVl_TZi21XbTXBL>DDB=HWonT5<]0T=M9@aW=nh=g:4fb5@bE@D^82ag1<^1n6R>kKcU9i;ZPR?7`KUZlDCH:<jdAQ=K_oW98A6UEi6kY3A0M0:NI184W1=
X-Complaints-To: support@blocknews.net
From: fun...@amongus.com.invalid (Retrograde)
Content-Type: text/plain; charset=UTF-8
Subject: memory corruption as attack vector
Newsgroups: comp.misc
Date: 17 Mar 2024 09:00:48 GMT
Lines: 39
Message-ID: <65f6b140$0$19592$882e4bbb@reader.netnews.com>
NNTP-Posting-Host: 127.0.0.1
X-Trace: 1710666048 reader.netnews.com 19592 127.0.0.1:44823

by: Retrograde - Sun, 17 Mar 2024 09:00 UTC

From the «alzheimers as a service» department:
Feed: OSnews
Title: Secure by design: Google’s perspective on memory safety
Author: Thom Holwerda
Date: Fri, 15 Mar 2024 10:45:06 -0400
Link: https://www.osnews.com/story/138837/secure-by-design-googles-perspective-on-memory-safety/

Google’s Project Zero reports[1] that memory safety
vulnerabilities[2]—security defects caused by subtle coding errors related to
how a program accesses memory—have been “the standard for attacking software
for the last few decades and it’s still how attackers are having success”.
Their analysis shows two thirds of 0-day exploits detected in the wild used
memory corruption vulnerabilities. Despite substantial investments to improve
memory-unsafe languages, those vulnerabilities continue to top the most
commonly exploited vulnerability classes[3].

In this post, we share our perspective on memory safety in a comprehensive
whitepaper[4]. This paper delves into the data, challenges of tackling memory
unsafety, and discusses possible approaches for achieving memory safety and
their tradeoffs. We’ll also highlight our commitments towards implementing
several of the solutions outlined in the whitepaper, most recently with a
$1,000,000 grant to the Rust Foundation[5], thereby advancing the development
of a robust memory-safe ecosystem.
↫ Alex Rebert and Christoph Kern at Google’s blog[6]

Even as someone who isn’t a programmer, it’s impossible to escape the rising
tide of memory-safe languages, with Rust leading the charge. If this makes the
software we all use objectively better, I’ll take the programmers complaining
they have to learn something new.

Links:
[1]: https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html (link)
[2]: https://www.memorysafety.org/docs/memory-safety/ (link)
[3]: https://cwe.mitre.org/top25/archive/2023/2023_kev_list.html (link)
[4]: https://research.google/pubs/pub53121/ (link)
[5]: https://security.googleblog.com/2024/02/improving-interoperability-between-rust-and-c.html (link)
[6]: https://security.googleblog.com/2024/03/secure-by-design-googles-perspective-on.html (link)

Subject	Author
memory corruption as attack vector	Retrograde