It Is Time to Standardize Principles and Practices for Software Memory Safety
Download3708553.pdf (552.1Kb)
Publisher Policy
Publisher Policy
Article is made available in accordance with the publisher's policy and may be subject to US copyright law. Please refer to the publisher's site for terms of use.
Terms of use
Metadata
Show full item recordAbstract
In this Inside Risks column, we explore memory-safety standardization, which we argue is an essential step to promoting universal strong memory safety in government and industry, and, in turn, to ensure access to more secure software for all. During the last two decades, a set of research technologies for strong memory safety—memory-safe languages, hardware and software protection, formal approaches, and software compartmentalization—have reached sufficient maturity to see early deployment in security-critical use cases. However, there remains no shared, technology-neutral terminology or framework with which to specify memory-safety requirements. This is needed to enable reliable specification, design, implementation, auditing, and procurement of strongly memory-safe systems. Failure to speak in a common language makes it difficult to understand the possibilities or communicate accurately with each other, limiting perceived benefits and hence actual demand. The lack of such a framework also acts as an impediment to potential future policy interventions, and as an impediment to stating requirements to address observed market failures preventing adoption of these technologies. Standardization would also play a critical role in improving industrial best practice, another key aspect of adoption.
Date issued
2025-02-01Journal
Communications of the ACM
Publisher
Association for Computing Machinery
Citation
Watson, Robert, Baldwin, John, Chen, Tony, Chisnall, David, Clarke, Jessica et al. 2025. "It Is Time to Standardize Principles and Practices for Software Memory Safety." Communications of the ACM, 68 (2).
Version: Final published version
ISSN
0001-0782