Monday, November 18, 2024

Retrofitting Spatial Safety to Hundreds of Millions of Lines of C++

Google Security:

Based on an analysis of in-the-wild exploits tracked by Google’s Project Zero, spatial safety vulnerabilities represent 40% of in-the-wild memory safety exploits over the past decade[…]

[…]

A key element of our strategy focuses on Safe Coding and using memory-safe languages in new code.

[…]

However, this transition will take multiple years as we adapt our development practices and infrastructure. Ensuring the safety of our billions of users therefore requires us to go further: we’re also retrofitting secure-by-design principles to our existing C++ codebase wherever possible.

[…]

Hardened libc++, recently added by open source contributors, introduces a set of security checks designed to catch vulnerabilities such as out-of-bounds accesses in production. […] Hardening libc++ resulted in an average 0.30% performance impact across our services (yes, only a third of a percent).

Previously:

2 Comments RSS · Twitter · Mastodon



Or we could just make a better C/C++ (TrapC, Fil-C, Zig, ...). No need to impose language complexity on people for absolutely no reason whatsoever.

Leave a Comment