Remotely exploitable reminiscence security vulnerabilities persist as a perpetual threat to software program integrity and confidentiality. At Google, we envision the path to eradicating this category of vulnerabilities at scale and building high-confidence software relies on a secure-by-design approach that emphasizes a transition to memory-safe programming languages.
Specializing in secure coding practices from the outset can paradoxically reduce overall codebase risk, eventually shattering the plateau of memory security vulnerabilities and initiating a steep decline while maintaining scalability and cost-effectiveness.
Here is the rewritten text:
Over the past six years, we’ve witnessed a significant shift in the Android ecosystem, with the percentage of memory-related security vulnerabilities declining dramatically – from 76% to just 24%. This remarkable transformation can be attributed to the growing adoption of memory-secure programming languages.
As a sprawling codebase written mainly in memory-unsafe languages continues to grow and evolve, it is beset by a persistent influx of security vulnerabilities, reminiscent of past breaches and attacks that threaten the integrity of the system. If we progressively migrate to memory-safe languages for new developments, while preserving existing codebases primarily through bug fixes, we can foster a harmonious coexistence between legacy and modern systems.
We’re capable of simulating various outcomes. The legacy codebase still clings to life after all these years? As new reminiscence consolidates, a decline in unsafe growth is observed, paving the way for the emergence of secure growth.
Throughout the final year of our simulation, despite a notable increase in memory-unsound code, we observe a substantial decrease in the number of memory safety vulnerabilities, a seemingly counterintuitive outcome that deviates from what is typically seen with other approaches.
This seemingly contradictory discount raises questions about how memory safety can increase despite a rise in vulnerable code.
The reply lies in an necessary commentary: . They’ve a half-life. The vulnerability lifetime’s distribution conforms to an exponential pattern, governed by the mean vulnerability lifetime (λ).
Vulnerability discovery and subsequent remediation are crucial aspects of maintaining the security posture of software systems. A comprehensive understanding of vulnerability lifetimes is essential to optimize these processes effectively.
The average lifetime of a vulnerability is approximately 22 months, with nearly half being exploitable for at least three years. Revealed at Usenix Safety in 2022, the phenomenon was subsequently confirmed. Studies reveal that a vast proportion of vulnerabilities are rooted in recently written or previously revised code sections.
Our analysis confirms and generalizes that the density of Android’s remnant security bugs decreases with the age of the code, mainly concentrated in recent updates.
Two key insights emerge from this outcome.
- Requiring a fundamental shift in how we create software.
- As investment returns on software decline with age, code becomes increasingly obsolete.
Based largely on the typical vulnerability lifetime statistics, code that is approximately five years old exhibits a 3.4-fold to 7.4-fold reduction in vulnerability density compared to newly written code.
In real-life scenarios, just like our simulated environment, when we focus on prevention, the situation rapidly improves.
Android’s staff began focusing on migrating emerging trends towards retrograde linguistic frameworks in 2019. As concerns mounted over the escalating costs and intricacy of addressing memory security vulnerabilities, a resolution gained momentum. Despite the remaining tasks, early results are encouraging. Here’s the large image of what we’re expecting to see in 2024, based on our comprehensive coding.
Despite the majority of existing code still being vulnerable to safety risks, which are indeed becoming increasingly antiquated, a significant and sustained decrease is emerging in memory security vulnerabilities. The results match our earlier simulations and have actually exceeded expectations, likely due to our concurrent initiatives to strengthen the security of our previously vulnerable codebase. In 2022, we initially observed a decline; subsequently, we noticed a trend towards a decrease in the overall prevalence of memory safety vulnerabilities.. The estimated annual growth rate is based on historical data up to 2022 and is then projected forward to 2024.
SKIP
While the percentage of vulnerabilities linked to recall-based security assessments remains closely tied to the language used in newly written code?
Safety-related reminiscence questions, a primary concern that accounted for 76% of all Android vulnerabilities in 2019, have decreased significantly, now representing just 24% of overall vulnerabilities in 2024 – well below the industry benchmark of 70%.
As renowned, reminiscence-based security vulnerabilities tend to be significantly more severe, readily accessible remotely, highly adaptable, and more likely to be maliciously exploited compared to other types of vulnerabilities. Although the number of identified reminiscence security vulnerabilities has decreased, the overall safety risk remains unchanged.
For decades, the company has driven innovation in combatting memory security vulnerabilities, yielding valuable tools and methodologies that have consistently strengthened software safeguards. Notwithstanding the benefit of hindsight, it’s clear that our focus must shift towards developing a truly scalable and sustainable solution that effectively mitigates risk.
Initially, efforts concentrated on addressing weaknesses in a post-incident manner. As widespread concerns about reminiscence security persist, enterprises incur substantial recurring costs that ultimately affect their customers. Producers of software programs must allocate critical resources effectively to respond promptly to recurring incidents. This leads to the implementation of fixed safety patches, unfortunately leaving users vulnerable to unidentified vulnerabilities and promptly exposed to those already discovered, which are being rapidly exploited.
Subsequent to this, another method emerged: reducing vulnerability in existing software programs by implementing a range of exploit-mitigation techniques, thereby increasing the barriers to creating effective exploits. Despite these mitigations, which are akin to stack canaries and control-flow integrity, they often come at a recurring cost to merchants and growth teams, pitting safety and other product requirements against each other.
- Their arrival is often accompanied by significant inefficiencies, slowing down the execution process, draining battery life, increasing tail latencies, and wasting reminiscence utilization, ultimately hindering their widespread adoption.
- Attackers’ unrelenting creativity spawns a dynamic game of strategy and cunning between themselves and the defenders. As a result, the bar to develop and weaponize an exploit is consistently being lowered through various means.
A cutting-edge approach focused on identifying potential weaknesses in a system. This contains many, typically paired with fuzzing, like lots of which have been constructed by Google. While these strategies may address the symptoms of reminiscence failure, they do not directly tackle the underlying cause. Stress is typically required to motivate groups to effectively manage the fuzz, triage, and repair of their findings, resulting in subpar protection. While fuzz testing can provide a high degree of coverage, even when used extensively, it does not offer absolute assurance, as demonstrated by the presence of vulnerabilities still found in thoroughly fuzzed code.
With the implementation of these strategies, our merchandise has undergone significant fortification, and we remain steadfast in our commitment to identifying, addressing, and actively seeking out vulnerabilities, thereby ensuring a robust defense against potential threats. As it has become increasingly evident, these methods alone are insufficient for achieving an acceptable level of risk in memory safety, and they perpetuate escalating costs for developers, consumers, businesses, and products. According to numerous authorities, including CISA, it is only by embracing “safe by design” principles that we can effectively address the perpetual problem of repeatedly generating and implementing patches.
The paradigmatic shift towards memory-safe programming languages signifies more than just an upgrade in technical proficiency; it is a fundamental transformation in the approach to ensuring software security. This shift should not be seen as unprecedented, but rather a significant expansion of a proven methodology. A methodology that has consistently shown excellence in eradicating diverse vulnerabilities, including cross-site scripting (XSS), effectively mitigating the risk of sophisticated attacks.
The driving force behind this transformation is the integration of immediate safety enforcement mechanisms within the event platform, enabled through language options, static analysis, and thoughtful API design. The outcome yields a deliberately secure ecosystem, providing consistent and dependable assurance at scale, impervious to accidental vulnerability introduction.
As software development evolves, there is a discernible transition from traditional coding practices to Secure Coding principles, enabling developers to craft more dependable and resilient code that withstands scrutiny. By focusing on the specific interventions employed (mitigations, fuzzing) rather than attempting to leverage past performance for predictive purposes about future security, Secure Coding enables us to make robust declarations regarding the code’s attributes and what is feasible or impermissible based on those attributes.
Secure coding’s scalability lies in its potential to reduce costs by leveraging automated testing and code review tools that eliminate the need for manual quality assurance processes.
- By halting the perpetual spiral of defensive measures attempting to outdo one another through price escalation, Secure Coding harnesses its expertise in governing developer environments to focus on designing secure software from inception.
- Rather than customizing mitigations for each asset’s perceived risk, Secure Coding develops a standardized framework, akin to memory-safe languages, that efficiently diminishes vulnerability density across the board. Developments in fashionable memory-safe languages, such as Rust, have extended the concept of memory safety beyond mere recall security to encompass a broader range of bug prevention strategies.
- Secure coding practices enhance code reliability and developers’ productivity by detecting bugs early on, before code is committed. The frequency of unexpected setbacks is reflected in the metrics, manifesting as increased rollback charges due to the need for emergency code reverts following unforeseen bugs. The Android team has observed that the rollback cost for Rust modifications is significantly lower than that of C++, at roughly one-quarter of the latter’s price.
Interoperability, a seamless connection among systems, enables the free flow of information and streamlined interactions.
Based on the findings, it has become evident that we do not need to discard or rework all of our existing memory-unsafe code. As a cornerstone of our memory security quest, Android is focused on securing interoperability with ease. Interoperability offers a pragmatic and incremental approach to embracing memory-safe languages, enabling organisations to build upon existing investments in code and processes, while accelerating the development of innovative solutions.
As we’re currently undertaking.
Rust vs. C++ and Rust vs. Python. As part of their ongoing efforts to support open-source innovation, Google recently contributed to the Rust Foundation, as well as developing interoperability tooling such as and.
Function of earlier generations
As Secure Coding continues to drive down threats, mitigation strategies will assume a pivotal role in parallel with proactive detection methods. While there are no foolproof answers in the Android realm, we can confidently predict that innovation will continue to drive progress.
- As we shift towards memory-safe code, we expect a significant reduction in the need for exploit mitigations, ultimately yielding not only safer but also more environmentally friendly software. After eliminating the outdated sandbox environment, development accelerates by approximately 95%.
- As we move forward, we expect a reduction in our reliance on proactive detection methods such as fuzzing, with the added benefit of increased effectiveness, as achieving comprehensive security for small, self-contained code segments becomes increasingly viable?
Understanding the mathematics behind vulnerability lifetimes has long been a daunting challenge. Adopting secure coding practices marks a significant paradigm shift, allowing developers to proactively harness the natural decay of vulnerabilities for their advantage. As soon as we mitigate the latest vulnerabilities, their frequency decreases exponentially, resulting in significantly safer code, increased efficiency, and alleviated scalability concerns associated with current memory-security approaches, enabling their more effective utilization in a targeted manner?
This method has been consistently effective in eliminating complete vulnerability lessons, with its effectiveness in addressing memory security increasingly evident over more than five years of continuous results on Android.
We look forward to providing in-depth updates on our secure-by-design initiatives in the near future.
We appreciate the efforts of Alice Ryhl in developing the simulation code. Thanks to the valuable input from Emilia Kasper, Adrian Taylor, Manish Goregaokar, Christoph Kern, and Lars Bergstrom for their helpful contributions to this submission.
