(443)-494-9398 [email protected]

NSA Offers Guidance on Mitigating SW Memory Safety Issues. OnSystem Logic Offers a Solution.

OnSystem Logic Offers A Solution To Mitigate Software Memory Safety Issues.

The recent article, NSA Publishes Guidance on Mitigating Software Memory Safety Issues, does a good job of summarizing NSA’s guidance on mitigating software memory safety issues. The problem is real and its impacts are growing. The proof is found in the statements from Microsoft and Google that 70% of their bugs fall in this category and are often exploited for remote code execution (RCE).

But there are problems with the guidance. They are as follows:

  • It is not possible to rewrite billions of lines of code, that are the foundation of software we use today, using memory safe languages.
  • Technologies like Control Flow Guard (CFG) and Address Space Layout Randomization (ASLR) have been around for years but have limitations and published methods of getting defeated. In fact, Microsoft and Google have been using these technologies for many years in their own software but still have to issue immediate security patches for most of their memory safety bugs.

The most important thing to do to mitigate a memory safety bug is to make sure that the bug cannot be used by an adversary to run code that is under its control AND can perform useful operations on the system. What I mean by useful operations is any type of operation that gives the adversary the ability to access important resources in the affected software. For example, the ability of the adversary to create dynamic code in the software under attack. There are operations like this that apply to all software and others that apply to specific software. 

If we learn the internal deterministic access patterns to these resources within EVERY piece of software running on a system, we can protect EVERY piece of software from adverse effects of memory software bugs without having access to source code, rewriting the software, caring about what language it is written in, or how it was compiled. These protections can work side by side with CFG, ASLR, etc. but do not require them or any other processor-specific security features that may or may not be present in order to implement CFG, ASLR, etc. The learning can be done in the QA environment of the software maker and/or from customer machines that have deployed this capability to protect their servers and workstations.

Does any product like this exist?

Yes. OnSytem Logic has spent years to perfect this technology. Our software, OnSystem Defender, is in actual use on thousands of servers and workstations. Not only does it mitigate memory safety issues of ALL software running on a machine, but it also protects against other classes of attacks like backdoors (e.g., SolarWInds), software supply chain issues, and unpatched/unpatchable software.  

Evaluate OnSystem Defender

Sign up to evaluate OnSystem Defender, and to identify and recommend enhancements.