Memory safety: opportunities and challenges for the software security of the future, Part 1

Software has become an integral part of our everyday lives: whether in the latest electric car, in e-banking or in life-saving systems. One of the most widespread threats to the security of such systems is faulty memory management. Vulnerabilities of this kind are referred to as “memory safety vulnerabilities”. New vulnerabilities are constantly being discovered in this area. However, fixing the underlying problem is a major challenge for developers and companies.

What is memory safety?

Memory safety describes how securely and correctly a software handles the management, allocation and release of memory (RAM). It is a central component of software security and, despite years of research, remains one of the most common vulnerabilities in modern software [1].

RAM is used in a computer to store data such as user input or the results of calculations. When a program is started, both the code (the instructions the computer executes) and the data (the information being processed) are loaded into memory. As Figure 1 shows, there is no strict separation between program code and data in the working memory. [2]

Figure 1: Data and program code in the working memory

Widely used programming languages such as C or C++ allow developers to manually manage the memory used. This is generally considered to be extremely error-prone: programs can unintentionally access unauthorised memory areas, which in turn can be exploited by attackers, for example to execute malicious code or read confidential data. The frequent occurrence of memory safety vulnerabilities is partly due to the fact that manual memory management is still widely used in these programming languages. [2] But how do memory safety vulnerabilities manifest themselves in practice? A look at real examples shows the effects of this problem.

Memory safety vulnerabilities in practice

In a recently published report, Kaspersky Security Services [3] discovered several vulnerabilities in the latest Mercedes-Benz infotainment system. These included memory safety vulnerabilities, weaknesses in the anti-theft system and the possibility of manipulating the firmware (special software embedded in the hardware that enables basic functions). This example illustrates that memory safety problems occur even in systems that are used every day. This can have noticeable consequences for users, such as the failure of important features or the loss of personal data. Furthermore, according to reports from Microsoft [4] and Google [5], around 70% of the security problems found in their own software can be attributed to memory safety vulnerabilities.

Data from the National Vulnerability Database (NVD) [6] was analysed as part of a semester project for a bachelor’s degree in computer science at BFH/TI. The NVD is a publicly accessible database of known security vulnerabilities in software and hardware. The proportion of vulnerabilities in the “Memory Safety” category [7] was compared with the total number. The statistics compiled in Figure 2 provide a more comprehensive picture of memory safety vulnerabilities in the entire IT landscape. The proportion has varied between 15 and 20% over the last 10 years. This is a considerable proportion and the number of undiscovered vulnerabilities is likely to be significantly higher.

Figure 2: Evaluation of the NVD on memory safety vulnerabilities

But what options are there to solve – or at least minimise – this problem?

Approaches to improving memory safety

In order to avoid memory safety vulnerabilities, it is recommended that program code is written in memory-safe languages wherever possible. An announcement from the White House, for example, shows that the topic is perceived as important. [8] Languages such as Python, Java and C# automatically manage memory using a garbage collector (a mechanism that cleans up and manages unused memory in the background). However, this requires additional resources, which makes their use unsuitable for efficiency-dependent and hardware-related systems such as embedded systems (special computer systems that are integrated into larger technical products such as cars or household appliances). In such cases, direct control over the memory, as made possible by the languages C/C++, is indispensable.

This is where the Rust programming language comes into play. It offers an interesting approach to preventing memory safety problems.

Rust to the rescue?

The Rust programming language [9], published in 2015, is used in many areas of application. It enables hardware-oriented programming, guarantees memory safety at compile time and works without additional mechanisms such as a garbage collector. It offers modern language concepts and defines certain rules that prevent memory safety vulnerabilities from occurring in the first place.

Rust is becoming increasingly important as a programming language in various areas of IT and could further limit memory safety vulnerabilities. Hardware security expert Pascal Mainini explains how Rust could improve memory safety in the future and in which areas the language is currently particularly relevant:

[Herren]: “In which industries or areas will Rust gain in importance?”

[Mainini]: “Rust is basically universally applicable as a language, but there are areas in which adoption is already more advanced. On the one hand, of course, HW-related programming, but also the cloud area, for example. As Rust is a very efficient language, it also contributes to energy efficiency when applications run on thousands of servers. Last but not least, Rust is also the only language besides C that can now be used to develop drivers for the Linux kernel.”

The full interview on Rust and its development will follow shortly.

Review and outlook

Memory safety vulnerabilities can affect systems of any kind. Across the entire IT landscape, the proportion of known vulnerabilities in this category fluctuates between 15 and 20%, significantly less than the frequently quoted 70% of Microsoft and Google. Nevertheless, it is a serious problem. Complete protection against memory safety vulnerabilities requires a lot of effort and resources for companies and developers. A short-term solution is challenging, as existing code would either have to be ported into a memory-safe language or comprehensively secured. In addition, detecting such vulnerabilities is often difficult. Various approaches, such as new detection methods, for example using AI, or the use of languages such as Rust, could reduce the risk in the future. However, one thing is certain: program code should be written in memory-safe languages wherever possible in future. Furthermore, awareness of this problem must be significantly raised among companies and developers.

References

[1] H. Okhravi, “Memory Safety,” IEEE Security & Privacy, Bd. 22, Nr. 4, pp. 13–15, Jul. 2024 [Online]. Zugriff: doi:10.1109/MSEC.2024.3409849

[2] C. Rohlf (2023, Sep. 26). Memory Safety: An Explainer [Webseite]. Zugriff: https://cset.georgetown.edu/article/memory-safety-an-explainer/, 18. Okt. 2025

[3] Kaspersky Security Services (2025, Jan. 17). Mercedes-Benz Head Unit security research report [Website]. Zugriff: https://securelist.com/mercedes-benz-head-unit-security-research/115218/, 19. Okt. 2025

[4] Microsoft Security Response Center (2019, Jul. 16). A proactive approach to more secure code [Webseite]. Zugriff: https://msrc.microsoft.com/blog/2019/07/a-proactive-approach-to-more-secure-code/, 18. Okt. 2025

[5] The Chromium Projects (o.D.). Memory safety [Webseite]. Zugriff: https://www.chromium.org/Home/chromium-security/memory-safety/, 18. Okt. 2025

[6] B. Harold (2015). National Institute of Standards and Technology: National Vulnerability Database [Webseite]. Zugriff: https://nvd.nist.gov/, 18. Okt. 2025

[7] The Mitre Corporation (o.D.) Comprehensive Categorization: Memory Safety [Webseite]. Zugriff: https://cwe.mitre.org/data/definitions/1399.html#Vulnerability_Mapping_Notes_1399, 18. Okt. 2025

[8] The White House: PRESS RELEASE: Future Software Should Be Memory Safe [Archiviert]. Zugriff: https://web.archive.org/web/20240226175250/https://www.whitehouse.gov/oncd/briefing-room/2024/02/26/press-release-technical-report/, 31. Okt. 2025

[9] Rust Team (o.D.) Rust: A language empowering everyone to build reliable and efficient software [Webseite]. Zugriff: https://rust-lang.org/, 19. Okt. 2025