Initial signs point to 2024 being a big year for memory safety and we aim to continue Prossimo's work to accelerate the momentum.
Last month, the White House's Office of the National Cyber Director (ONCD) issued a report that strongly endorses the use of memory safe languages. We've been formally working on improving memory safety for critical Internet infrastructure for years now and are proud to be the only 501c3 nonprofit referenced in this report. The report highlights a few points that are well-aligned with Prossimo's outlook:
-
Now is the time to make memory safe choices since it effectively solves an avoidable problem,
-
There is clear evidence that switching to memory safe languages has a positive impact on digital security, and
-
Everything everywhere doesn't need to be re-written; instead take a tactical approach that prioritizes security-sensitive functions.
The positive industry response to the report is encouraging as well. "Memory safety vulnerabilities pose a significant security risk to software systems and are a root cause of many of the most damaging cyberattacks. To address this, we need to adopt memory safe programming languages for new applications and rewrite code using modern memory safe languages with secure development practices from the start. We're pleased to see the ONCD raise this issue because the integrity of the global software supply chain is critical for national and international security," said John Delmare, Global Cloud and Security Application Lead, Accenture.
We also received a vote of confidence from one of cybersecurity's most influential philanthropists: Craig Newmark. Craig newmark philanthropies renewed a grant for $100,000 to support Prossimo's efforts toward better memory safety in critical open source software. Since its founding, 100% of Prossimo's funding has come from contributions, and support from industry leaders like Craig Newmark continues to sustain our momentum across a wide range of initiatives:
Sudo/su: A trimmed down, memory safe version of Sudo/su is ready for use in Fedora and Debian.
Rustls: This memory safe TLS library has a strong culture and practice of benchmarking for improved performance and initial indicators show it will surpass OpenSSL on a variety of metrics this year. In addition, Rustls now has a FIPS-certified cryptography library and will soon land an OpenSSL compatibility layer, making the transition from OpenSSL seamless. The world has needed a better TLS library for a long time, and 2024 will be the year for Rustls to step up.
Reverse Proxy: Nearly every big deployment on the Internet uses a reverse proxy and that needs to be memory safe. We are building just that on top of Cloudflare's recently open sourced Pingora framework. It's called River and it will have many improvements including and beyond memory safety.
AV1: Media decoders are some of the most prolific sources of memory safety vulnerabilities (see the recent WebP vulnerability). We're working to create a suite of media decoders and compression libraries that are safer without sacrificing performance, which is critical for adoption. We're currently developing a safer AV1 decoder and we're seeing strong interest in adoption from major companies.
We're excited by the growing community invested in building a memory safe future. If you or your organization is interested in helping us get there, please reach out at sponsor@abetterinternet.org