Google security experts are sending out a call for better handling a common security vulnerability.The search giant wants developers to pay more attention to flaws that arise when software programs access data stored in memory and which portions of the table should be off limits to applications.The researchers said the programs are still able to pull data out of memory that, according to their programming, they should not be able to access. The ability to access memory allows malware programs to steal sensitive information such as access credentials and encryption keys from host machines.While vendors have attempted to remedy the situation by developing more secure programming environments and languages that mandate secure coding practices, more must be done to close the door to threat actors.Google said many programs are still being granted memory access far beyond what they need to accomplish their desired tasks, which leaves the door open for“Over the past decade, a confluence of secure-by-design advancements has matured to the point of practical, widespread deployment,” wrote Google Security professionals Alex Rebert, Ben Laurie, Murali Vijayaraghavan, and Alex Richardson.“This includes memory-safe languages, now including high-performance ones such as Rust, as well as safer language subsets like Safe Buffers for C++.”Even with those advancements, vulnerabilities still arise withing code. To that end, the Google team is pitching a framework that would fit within the existing programming languages but still provide a means for securing data in memory and sealing off stored information from non-essential code.To that extent, Google said that it will make memory-safe languages such as Rust a priority going forward, while also updating its C++ code library in the form of libC++. Additionally, Google plans to update its Java, Kotlin, and Go code libraries to include memory safety measures, though those updates are limited by what their respective languages allow.“The framework should therefore be technology-neutral, allowing vendors to choose the best approach for their products and requirements,” the Google team wrote.“This encourages innovation and allows software and hardware manufacturers to adopt the best solutions as they emerge.” Ultimately, Google hopes that Meta programs will be capable of operating on a level that will keep sensitive data compartmentalized and shield stored memory data from the reach of malicious programs.
