The National Security Agency (NSA) has published an executive summary showcasing the
risk of using manually managed languages over memory-safe languages in application
development. Manual memory management may introduce major bugs and security risks into your application if
the memory is managed incorrectly.
Security bugs introduced by manually managed languages can be catastrophic to the function of the
application, as well as the information contained in the application. These bugs may cause
performance slowdowns, application crashes, remote code execution, information leakage, and
system failures.
Bugs that may be introduced include the following:
- Memory leak: Memory no longer being used is not released, which reduces the amount of available memory.
- Buffer overflow: Overwriting of memory locations adjacent to a buffers boundary.
- Segmentation fault: An application tries to access a restricted piece of memory.
- Wild pointers: Pointer points to the memory which has been deallocated.
- Undefined behavior: An application with unpredictable behavior.
To provide some insight on the prevalance of risk introduced by manually managed languages, Microsoft
revealed that within the span of 12 years, 70% of their vulnerabilities were due to mismanagement of memory.
Google reported that there was a similar percentage of vulnerabilities introduced by memory safety
violations within the Chrome browser.
All these vulnerabilities can be exploited by malicious actors who may compromise a device, potentially leading to a compromise of a larger network infrastructure. With this large risk presented by mismanaged memory,
the NSA advises organizations to consider using memory-safe languages wherever possible and providing
mechanisms to harden applications built with manually managed languages.
Memory-safe languages vs. manually managed languages
A memory-safe language is a language where memory allocation and garbage collection are abstracted away from
the developer and handled by the programming language itself. These languages include Python, Java, and Go,
to name a few.
In contrast, manually managed languages provide a developer with full control over the system memory (with some exceptions).
The most popular manually managed languages are C and C++.
Each language type has a purpose and use case. There are times when a memory-safe language is recommended, but there are also
times when it may not suit the application requirements.
Below is a list of some pros and cons of each language type:
Language type | Pros | Cons |
---|