White House urges developers to avoid C and C++, use 'memory-safe' programming languages

The White House
(Image credit: Pexels)

Update: 2/29/2024 08:28 PT

The NSA list of memory safe programming languages has been updated to reflect v1.1 of the information sheet.

Updated article

The government would prefer it if you stopped programming tools in C or C++. In a new report, the White House Office of the National Cyber Director (ONCD) has called on developers to use "memory-safe programming languages," a category which excludes the popular languages. The advice is part of U.S. President Biden's Cybersecurity strategy and is a move to "secure the building blocks of cyberspace."

Memory safety refers to protection from bugs and vulnerabilities which deal with memory access. Buffer overflows and dangling pointers are examples of this. Java is considered a memory-safe language due to its runtime error detection checks. However, C and C++ both allow arbitrary pointer arithmetic with direct memory addresses and no bounds checking.

In 2019, Microsoft security engineers reported that around 70% of security vulnerabilities were caused by memory safety issues. Google reported the same figure in 2020, this time for bugs found in the Chromium browser.

"Experts have identified a few programming languages that both lack traits associated with memory safety and also have high proliferation across critical systems, such as C and C++," the report reads. "Choosing to use memory safe programming languages at the outset, as recommended by the Cybersecurity and Infrastructure Security Agency’s (CISA) Open-Source Software Security Roadmap is one example of developing software in a secure-by-design manner."

The goal of the 19-page report is to ensure that responsibility for cybersecurity does not just lie in the hands of individuals and small businesses. Instead, the responsibility lies with larger organizations, tech companies, and ultimately the government.

The report details what it considers to be "unsafe" programming languages, namely C and C++. We're not here to debate the pros and cons of programming languages, but it is interesting to see that the report does not suggest a specific language in their place. We are told that there are "dozens of memory-safe programming languages that can — and should — be used."

The ONCD has asked that companies and engineers to adopt best practices in software development and adopt memory-safe hardware in order to reduce the attack surface by which malicious actors can attack. The report itself did not detail what it considers memory safe programming languages to be. However, in November 2022, the National Security Agency (NSA) issued a cybersecurity information sheet that detailed the programming languages it considers to be memory-safe.

NSA Suggested Memory-Safe Programming Languages

  • Rust
  • Go
  • C#
  • Java
  • Swift
  • JavaScript
  • Ruby
  • Python
  • Delphi/Object Pascal
  • Ada

How popular are the suggested programming languages? Checking the TIOBE index, an indicator of programming language popularity, we see that Python is at number one. Of the NSA preferred options, C# is at position five, Java is at position four, JavaScript at six and Go is at eight. Bringing up the rear are Delphi / Object Pascal at 12, Swift at 16, Rust at 18 and Ruby just squeaks in at 20. So most of the NSA's chosen languages are in the top 20, with only Ada missing, but only five of the 10 are "popular" with developers.

The report also calls for better measurements of software security. ONCD has the belief that better metrics enable technology providers to better plan, anticipate, and mitigate vulnerabilities before they become a problem.

In part two (page 8), the report recalls the Apollo 13 mission, a mission that NASA classified as a "successful failure." The mission suffered a catastrophic failure that saw the three astronauts improvise repairs and mitigate a number of issues in order to return safely home. The need for memory-safe code also impacts the space program, and the report details that a memory-safe language, one that is as close to the kernel as possible, should be used lest we have a future incident.

This report is the latest in a series of steps taken by the U.S. government. In March 2023, President Biden signed a cybersecurity executive order [PDF] that kicked off processes to secure software and hardware, while also forging relationships in the tech industry.

As more and more of our world becomes digital first, the need for better coding becomes more important. Bad code can be used maliciously to exploit weaknesses. The report highlights the Log4j vulnerability from December 2021, in which an open-source Java logging library, Log4j, was exploited via a zero-day vulnerability called Log4Shell

Les Pounder

Les Pounder is an associate editor at Tom's Hardware. He is a creative technologist and for seven years has created projects to educate and inspire minds both young and old. He has worked with the Raspberry Pi Foundation to write and deliver their teacher training program "Picademy".

  • COLGeek
    Please focus on the technical aspects of the article and leave the political commentary for other sites. Thank you.
  • vijosef
    Sure, come here and take undefined behavior out of my cold hands!

    union{} for the win!
  • bigdragon
    Alternatively, you could just hire developers that are aware of and care about memory utilization. I'm aware those skills are very expensive and hard to find. They do exist in older workers.

    The market has been flooded with developers who have degrees or certifications with only a single semester of Java programming. As someone who went through an intense technical program where algorithm designs, run times, memory optimizations, sequencing, threading, and other important things were taught, it pains me to encounter people who exclusively rely on libraries/frameworks and think the compiler will fix everything for them.
  • RichardtST
    Doesn't matter how "memory safe" the language is. With the incredulously low standard for programmers these days, they are all a threat. Plus they all have built-in back doors anyway. Everyone knows that. I'll never give up C. Malloc() and free() and I have been best buddies for decades... Stop blaming the language. It's the people that are the problem. KISS Principle rules!
  • USAFRet
    bigdragon said:
    The market has been flooded with developers who have degrees or certifications with only a single semester of Java programming.
    I saw this 20+ years ago.

    "Certified Oracle Consultant" - totally clueless.

    This is not new.
  • JamesJones44
    Java or any of the other VM based runtime based languages are not viable replacements for most C/C++ projects. Developers typically use C/C++ for two reasons. Resource sensitivity (speed, memory, etc.) and/or cross language interoperability. Java will not work for either of those use cases.

    Rust is the most viable alternative.
  • 35below0
    So the US government is considered responsible and their response is to offer a recommendation?
    Sounds like a slow news day for cybersecurity, government, and conspiracy theories. That is just about as run-of-the-mill as it gets.

    It's not an attack on C/C++, more of a call to pay attention to vulnerabilities that have grown in importance enough to become national security and government business. It may provoke bickering but it is objectively a fair assesment.

    Ultimately the responsibility of government is not to enforce coding best practises, and government should never have power to do so. They most they could and should do is issue recommendations and guidelines such as this.
  • ekio
    Only Rust is really memory safe in their list…

    A world of Rust and RISC-V based tech is coming ❤️
  • homeyKrogerSage
    Rust. That's literally what they're saying without saying it. "Memory Safe", "Close(r) to the kernel". There's literally only one language that fits that description.
  • Eximo
    Yeah, some of the comp sci majors I know are vastly knowledgeable. Just depends on the person's willingness to learn and what they end up doing. Also have the whole EE group who still do a lot of bare metal programming in assembly.

    As I recall with one of old acquaintances, actually had to build an OS from scratch for a project.

    I work in the public sector and we pretty much have to follow US Government security regulations. I would say any off the shelf package certified for use would need to be reviewed. Internal development is always going to be impossible to manage without proper internal processes, which may or may not be followed. So many rogue projects.