Google has shared that its adoption of memory-safe languages like Rust as part of its secure-by-design approach has significantly decreased memory-safe vulnerabilities discovered in Android from 76% to 24% within six years.
The company highlighted that focusing on Safe Coding for new features reduces security risks and makes the transition scalable and cost-effective.
According to Google’s Jeff Vander Stoep and Alex Rebert, this shift results in fewer memory safety vulnerabilities over time as memory-safe development outpaces memory unsafe development.
Interestingly, the quantity of memory safety vulnerabilities can drop even with an increase in new memory unsafe code due to the decay of vulnerabilities primarily residing in new or recently modified code.
Google emphasized the importance of continuous advancements in detecting and mitigating flaws, moving towards proactive vulnerability discovery using tools like Clang sanitizers.
The company also underlined the need for evolving memory safety strategies to prioritize high-assurance prevention by integrating secure-by-design principles into software development processes.
Furthermore, Google mentioned its focus on enabling interoperability between Rust, C++, and Kotlin to eliminate entire vulnerability classes and enhance overall security.
The company highlighted the exponential decrease in vulnerabilities by adopting Safe Coding in new code, leading to a safer codebase and more effective security design.
Google’s collaboration with Arm’s security teams to enhance the security of GPU software/firmware in the Android ecosystem resulted in the discovery and resolution of memory issues.
Proactive testing and vulnerability discovery are crucial in preventing exploitation of vulnerabilities, according to Google and Arm.
