Submitted by Rachel Gardner on Thu, 06/02/2025 - 11:40
Led by researchers in this Department, campaigners across industry and academia are calling for a concerted effort to finally solve the stubborn security issue that lies behind the majority of all cyberattacks.
In an article just published, 21 co-authors – including researchers here and security experts from Arm, Google and Microsoft – say it is time to develop an international consensus on what constitutes software memory safety, and to standardise its principles and practices.
Problems in software memory safety still persist, though they have long been known about. They were responsible for the first major attack on the internet in 1988 – the Morris Worm – when a hacker exploited a memory safety vulnerability to launch a 'buffer-overflow attack' (i.e. sending more data than a program's designated memory buffer can hold. This causes the excess data to spill over and corrupt adjacent memory locations and can let the attacker inject and execute malicious code, essentially taking control of the system.)
The Morris Worm propagated at speed, grinding thousands of computers to a halt. In doing so, "it inspired a new generation of hackers and a wave of Internet-driven assaults that continue to plague our digital systems to this day," the FBI says.
Today, memory safety issues are regarded as being responsible for 70 per cent of critical cybersecurity vulnerabilities – like the infamous 2017 WannyCry ransomware attack that caused widespread disruption to the NHS in England, leading to cancelled appointments, delayed operations, and difficulty accessing patient records. But despite the fact that in the last decade, a number of technologies have been developed to address software memory safety failures, they are still not being widely adopted across industry.
These include the pioneering cybersecurity technology CHERI, which was developed by researchers here in collaboration with Arm and other industrial partners. Since 2022, an industrial prototype (the Arm Morello board) has been made available to businesses to trial for themselves via the UK government’s £200 million Digital Security by Design Programme.
The development of new technologies presents us with a remarkable opportunity to introduce universal strong memory safety, yet they're struggling to make headway.
Prof Robert Watson
But getting strong memory-safety technologies adopted at scale is still proving difficult. Now, in an article they jointly authored, 21 campaigners from across industry and academia point to a range of reasons why, including a perceived lack of demand from customers and the high opportunity cost for suppliers of reassigning all the engineers needed to implement the new technologies.
But most crucial of all, they say, is the lack of any nationally or internationally defined standard for what strong software 'memory safety' actually is. That has to change, argue the authors.
In their article - 'It is time to standardise principles and practices for software memory safety' - and accompanying technical report, they suggest a set of steps that could be taken towards addressing the issue.
At Google, we're excited about the growing momentum around memory safety standards. Standardization will be a key step in accelerating adoption of strong memory safety at scale.
Alex Rebert, Google
These start with working towards a technological consensus on defining such standards and go on to lay out the changes that could be made once these have been agreed – such as:
- enabling government purchasing for defence and critical infrastructure to express memory-safety requirements
- requiring that all smart phones, wireless access points and IoT devices are sold with memory-safe software, or
- introducing tax incentives to companies to do so.
"The development of new technologies presents us with a remarkable opportunity to introduce universal strong memory safety," says co-author Robert Watson, Professor here of Systems, Security and Architecture. "Yet these technologies are struggling to make headway given the costs involved in adopting them and unclear market demand. As a result, although it's a widely-recognised problem, memory-unsafe computer code continues to be used across Windows, Linux, Android, iOS and Chromium devices, among others.
"We think this has to change and want to encourage the adoption of new memory-safe technologies. But to do that, we've got to reach consensus on memory safety standards and how they will be introduced."
Alex Rebert, a Senior Staff Software Engineer leading memory safety in Google's Information Security Engineering organisation, concurs. "At Google, we're excited about the growing momentum around memory safety standards. Standardization will be a key step in accelerating adoption of strong memory safety at scale."
The article and technical report are the first steps in a standardisation campaign. Next steps will include a workshop taking place in Cambridge this summer. Anyone interested in joining the campaign or participating in the workshop should contact Prof Robert Watson.
