h****e
发帖数: 2125 | 1 Memory-safety vulnerabilities have dominated the security field for years
and often lead to issues that can be exploited to take over entire systems.
A recent study found that "~70% of the vulnerabilities addressed through a
security update each year continue to be memory safety issues.” Another
analysis on security issues in the ubiquitous `curl` command line tool
showed that 53 out of 95 bugs would have been completely prevented by using
a memory-safe language.
Software written in unsafe languages often contains hard-to-catch bugs that
can result in severe security vulnerabilities, and we take these issues
seriously at Google. That’s why we’re expanding our collaboration with the
Internet Security Research Group to support the reimplementation of
critical open-source software in memory-safe languages. We previously worked
with the ISRG to help secure the Internet by making TLS certificates
available to everyone for free, and we're looking forward to continuing to
work together on this new initiative.
It's time to start taking advantage of memory-safe programming languages
that prevent these errors from being introduced. At Google, we understand
the value of the open source community and in giving back to support a
strong ecosystem.
To date, our free OSS-Fuzz service has found over 5,500 vulnerabilities
across 375 open source projects caused by memory safety errors, and our
Rewards Program helps encourage adoption of fuzzing through financial
incentives. We've also released other projects like Syzkaller to detect bugs
in operating system kernels, and sandboxes like gVisor to reduce the impact
of bugs when they are found.
The ISRG's approach of working directly with maintainers to support
rewriting tools and libraries incrementally falls directly in line with our
perspective here at Google.
The new Rust-based HTTP and TLS backends for curl and now this new TLS
library for Apache httpd are an important starting point in this overall
effort. These codebases sit at the gateway to the internet and their
security is critical in the protection of data for millions of users
worldwide.
We'd like to thank the maintainers of these projects for working on such
widely-used and important infrastructure, and for participating in this
effort.
We're happy to be able to support these communities and the ISRG to make the
Internet a safer place. We appreciate their leadership in this area and we
look forward to expanding this program in 2021.
Open source security is a collaborative effort. If you're interested in
learning more about our efforts, please join us in the Securing Critical
Projects Working Group of the Open Source Security Foundation. |
|
