One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8650981 |
| Date de publication | 2025-02-25 15:04:10 (vue: 2025-02-25 21:07:38) |
| Titre | Sécuriser le logiciel de demain \\: le besoin de normes de sécurité mémoire Securing tomorrow\\'s software: the need for memory safety standards |
| Texte | Posted by Alex Rebert, Security Foundations, Ben Laurie, Research, Murali Vijayaraghavan, Research and Alex Richardson, SiliconFor decades, memory safety vulnerabilities have been at the center of various security incidents across the industry, eroding trust in technology and costing billions. Traditional approaches, like code auditing, fuzzing, and exploit mitigations – while helpful – haven\'t been enough to stem the tide, while incurring an increasingly high cost.In this blog post, we are calling for a fundamental shift: a collective commitment to finally eliminate this class of vulnerabilities, anchored on secure-by-design practices – not just for ourselves but for the generations that follow.The shift we are calling for is reinforced by a recent ACM article calling to standardize memory safety we took part in releasing with academic and industry partners. It\'s a recognition that the lack of memory safety is no longer a niche technical problem but a societal one, impacting everything from national security to personal privacy.The standardization opportunityOver the past decade, a confluence of secure-by-design advancements has matured to the point of practical, widespread deployment. This includes memory-safe languages, now including high-performance ones such as Rust, as well as safer language subsets like Safe Buffers for C++. These tools are already proving effective. In Android for example, the increasing adoption of memory-safe languages like Kotlin and Rust in new code has driven a significant reduction in vulnerabilities.Looking forward, we\'re also seeing exciting and promising developments in hardware. Technologies like ARM\'s Memory Tagging Extension (MTE) and the |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | a enable the these to about academic acceptable accountability achieve achieving acknowledgmentswe acm across action actionable: actively addition adopt adopting adoption advancements advocating afterthought against akin alex alfredo allowing allows alongside already also anchored android answering applications approach approaches approaches: appropriate architecture are arm article assess assessed assessing assessment: assurance assurances; auditing authors authorship baldwin based been ben best beyond billions blog blueprint brett brooks buffers build building businesses but c++ cacm call calling can capability center chen cheri chisnall choose christoph claims clarity clarke class clear code codebase codebases collaborating collective combination commitment commitmentat committed common comparable compare complement complementary complete compliance components compositional comprehensive confidence confidently confluence constraints consumers contexts contributions: cost costing craft create creating criteria critical customers cycle david davis decade decades decision decisions deeply defense define defining demand dependencies deploying deployment design desired details develop developing developments devices dictating different digital distinct diverse doing driven driving each effective effectively efficiency effort efforts eliminate emerge empowered empowering enabling encourages encouraging energy enhanced enough ensuring entire environment eroding establish establishing every everything example exciting existing exploit extension extent facilitate field filardo finally first focus focuses follow formally forward foundation foundational foundations framework freedom from fundamental future futurewe fuzzing gain generation generations given goal google governments graeme guidance guidelines gutstein hamed hardened hardware has have haven helpful high how hugo impacting implementation important importantly improve improvement improving incentives incentivize incentivized incidents includes including increasing increasingly incurring individual industry informed infrastructure inherits initiatives innovation instance instructions internal invaluable invest investing isn java jenkinson jessica john joint journey just kern key know knowing konradwitaszczyk kotlin lack language languages larger laurence laurie lay let level levels leverage libc++ like likely locking longer looking make making mandating manufacturers many market marks matured mazzinghi measurable meet memory metrics mitigations moore more move mte much murali nathaniel national need need: needs neumann neutral new next niche not now objective objectively offer okhravi one ones opportunityover option others ourselves outcomes outlined part particularly partners past performance permit personal peter picking piece playing point policy policymakers post posted potential potentially practical practices principle prioritizing privacy probably problem process procure procurement products progress: promising promoting properties proposing protect protecting proven provide proving questions rather reasoning rebert recent recognition recognize recognizing reducing reduction reductions reflected reinforced releasing rely requirements requires research reward richardson right risc risk robert rust safe safer safety secure securing security seeing seen services several sewell shift shift: should significant siliconfor similarly simon single slsa societal software software: solutions solving spatial specific specify specifying spread standard standardization standardize standards stem step strategy structuring subjective subsets such suggest support systems tagging tailor tailored take technical techniques technological technologies technology temporal than thank that there therefore these those through tide time today togetherthis tomorrow tony took tools towards traditional transition translate tratt trust unsafe usage use various vendors vijayaraghavan vincent violations virtuous vision vulnerabilities want watson way well wes |
| Tags | Tool Vulnerability Threat Mobile Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.