It Is Time to Standardize Principles and Practices for Software Memory Safety

Watson, Robert; Baldwin, John; Chen, Tony; Chisnall, David; Clarke, Jessica; Davis, Brooks; Filardo, Nathaniel; Gutstein, Brett; Jenkinson, Graeme; Laurie, Ben; Mazzinghi, Alfredo; Moore, Simon; Neumann, Peter; Okhravi, Hamed; Rebert, Alex; Richardson, Alex; Sewell, Peter; Tratt, Laurence; Vijayaraghavan, Muralidaran; Vincent, Hugo; Witaszczyk, Konrad

Author(s)

Watson, Robert; Baldwin, John; Chen, Tony; Chisnall, David; Clarke, Jessica; ... Show more

Download3708553.pdf (552.1Kb)

Publisher Policy

Terms of use

Article is made available in accordance with the publisher's policy and may be subject to US copyright law. Please refer to the publisher's site for terms of use.

Metadata

Show full item record

Abstract

In this Inside Risks column, we explore memory-safety standardization, which we argue is an essential step to promoting universal strong memory safety in government and industry, and, in turn, to ensure access to more secure software for all. During the last two decades, a set of research technologies for strong memory safety—memory-safe languages, hardware and software protection, formal approaches, and software compartmentalization—have reached sufficient maturity to see early deployment in security-critical use cases. However, there remains no shared, technology-neutral terminology or framework with which to specify memory-safety requirements. This is needed to enable reliable specification, design, implementation, auditing, and procurement of strongly memory-safe systems. Failure to speak in a common language makes it difficult to understand the possibilities or communicate accurately with each other, limiting perceived benefits and hence actual demand. The lack of such a framework also acts as an impediment to potential future policy interventions, and as an impediment to stating requirements to address observed market failures preventing adoption of these technologies. Standardization would also play a critical role in improving industrial best practice, another key aspect of adoption.

Date issued

2025-02-01

URI

https://hdl.handle.net/1721.1/158237

Department

Lincoln Laboratory

Journal

Communications of the ACM

Publisher

Association for Computing Machinery

Citation

Watson, Robert, Baldwin, John, Chen, Tony, Chisnall, David, Clarke, Jessica et al. 2025. "It Is Time to Standardize Principles and Practices for Software Memory Safety." Communications of the ACM, 68 (2).

Version: Final published version

ISSN

0001-0782

Collections

MIT Open Access Articles