Mabry Tyson
2024-Jun-26 16:08 UTC
CISA et al: "Exploring Memory Safety in Critical Open Source Projects"
Since openssh-portable is mentioned in this report, I thought I'd make this list aware of it. (I am not associated with the report or the agencies that published it.? I just try to keep aware of what CISA reports.) Cybersecurity and Infrastructure Agency (CISA) and other agencies have released a report that catalogues the amount of code in a number of large open source projects that is written in memory-unsafe languages. Exploring Memory Safety in Critical Open Source Projects <https://www.cisa.gov/sites/default/files/2024-06/joint-guidance-exploring-memory-safety-in-critical-open-source-projects-508c.pdf> My take is the theme of the report is that moving toward more code in memory-safe languages reduces the chance of vulnerabilities due to memory-unsafe issues. The report acknowledges difficulties in getting the numbers right, and of course makes no judgement as to the quality of any code. The report also acknowledges that there are good reasons for some usage of memory-unsafe code. openssh-portable is listed as having 142 KLoC of which 120 KLoC are written in memory-unsafe languages, for a ratio of 85%., Please recognize this is a statistic, not a judgement.
Joseph S. Testa II
2024-Jun-26 16:29 UTC
CISA et al: "Exploring Memory Safety in Critical Open Source Projects"
Has anyone done any initial research into how much effort it would take to port OpenSSH to Rust? If not, I might find that interesting to start. (Mind you, this would be just to get a handle on the project, not do the full porting work--unless it somehow turns out to be very easy.) - Joe -- Joseph S. Testa II Founder & Principal Security Consultant Positron Security