In late February, “the National Cyber Director (ONCD) released a report calling on the technical community to proactively reduce the attack surface in cyberspace. ONCD makes the case that technology manufacturers can prevent entire classes of vulnerabilities from entering the digital ecosystem by adopting memory-safe programming languages. ONCD is also encouraging the research community to address the problem of software measurability to enable the development of better diagnostics that measure cybersecurity quality.”  Find the details of the ONCD report here. 

Future Software Should Be Memory Safe

“ONCD has engaged with a diverse group of stakeholders, rallying them to join the Administration’s effort.”

At a White House press conference, National Cyber Director Harry Coker emphasized the nation’s capability and obligation to minimize cybersecurity risks by adopting memory-safe programming languages, thereby preventing many types of security vulnerabilities. The release of a new report, developed with contributions from the technical community and both public and private sector partners, highlights the potential threats and opportunities as the nation moves towards creating software that is inherently secure and memory-safe. Coker also highlighted the importance of collaborating with the academic community to tackle the challenge of developing better diagnostics for measuring cybersecurity quality. Addressing these challenges is crucial for the long-term security of the digital ecosystem and the nation’s security.

From the White House press release:   “By adopting an engineering-forward approach to policymaking, ONCD is ensuring that the technical community’s expertise is reflected in how the Federal Government approaches these problems. Creators of software and hardware can have an outsized impact on the Nation’s shared security by factoring cybersecurity outcomes into the manufacturing process.

‘Some of the most infamous cyber events in history – the Morris worm of 1988, the Slammer worm of 2003, the Heartbleed vulnerability in 2014, the Trident exploit of 2016, the Blastpass exploit of 2023 – were headline-grabbing cyberattacks that caused real-world damage to the systems that society relies on every day. Underlying all of them is a common root cause: memory safety vulnerabilities. For thirty-five years, memory safety vulnerabilities have plagued the digital ecosystem, but it doesn’t have to be this way,’ says Anjana Rajan, Assistant National Cyber Director for Technology Security. ‘This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume – and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem, and ultimately, the Nation.’

ONCD has engaged with a diverse group of stakeholders, rallying them to join the Administration’s effort. Statements of support from leaders across academia, civil society, and industry can be found here.”

Summary of the ONCD Report – Back to the Building Blocks: A Path Toward Secure and Measurable Software

Abstract

President Biden’s National Cybersecurity Strategy calls for two fundamental shifts in how the United States allocates roles, responsibilities, and resources: 

• The need to both rebalance the responsibility to defend cyberspace; and
• Realign incentives to favor long-term cybersecurity investments.

In this report, the crucial role of the technical community in enhancing cybersecurity in the digital ecosystem is a clear, central organizing principle of the report.  The case is made that the technical community is well-positioned to drive progress on both strategic goals:

1. First, to reduce memory safety vulnerabilities at scale, creators of software and hardware can better secure the building blocks of cyberspace. This report focuses on the programming language as a primary building block and explores hardware architecture and formal methods as complementary approaches to achieve similar outcomes.
2. Second, to establish accurate cybersecurity quality metrics, advances can be made to address the hard and complex research problem of software measurability. This report explores how such metrics can shift market forces to improve cybersecurity quality across the ecosystem.

Memory Safety Vulnerabilities

Memory safety vulnerabilities are a class of vulnerabilities affecting how memory is accessed, written, allocated, or deallocated in unintended ways. These vulnerabilities are prevalent and have plagued cyber defenders for decades. Such vulnerabilities can be categorized into two broad categories: spatial and temporal:

• Spatial memory safety issues occur when memory accesses are performed outside of the established bounds for variables and objects.  Spatial memory safety vulnerabilities have been linked to major cybersecurity incidents over the years, including the Morris Worm, the Slammer Worm, Heartbleed, and the BLASTPASS exploit chain. 
• Temporal memory safety issues arise when memory is accessed outside of its intended time or state.  

Memory-Safe Programming Languages

“Utilizing memory-safe programming languages is recommended to improve software security and address the pervasive issue of memory safety vulnerabilities in critical systems.” 

Transitioning to memory-safe programming languages can significantly reduce memory safety vulnerabilities and improve cybersecurity.  By designing new products and migrating legacy code to memory-safe languages, the prevalence of memory safety vulnerabilities in the digital ecosystem can be significantly minimized.  By adopting memory-safe languages, creators can significantly reduce memory safety errors and vulnerabilities in their software.  The report mentions that technological solutions are readily available, with numerous memory-safe programming languages to choose from, allowing technology manufacturers to design products with enhanced security measures from the outset.    The transition to memory-safe programming languages has been shown to have a positive impact on cybersecurity, as these languages help eliminate memory safety vulnerabilities, especially when migrating large code bases. 

Memory Safe Hardware

Memory-safe hardware aims to complement memory-safe programming languages and formal methods to enhance cybersecurity by reducing memory-safety vulnerabilities in the digital ecosystem. While memory-safe programming languages can eliminate most memory safety errors, memory-safe hardware provides an additional layer of security. By adopting memory-safe programming languages and hardware, software and hardware creators can proactively eliminate entire classes of bugs and improve software security effectively.  The use of memory-safe hardware can be crucial in critical systems like space systems, where memory safety is a paramount concern. These approaches offer a way to eliminate, rather than just mitigate, vulnerabilities, providing a significant opportunity to enhance the cybersecurity of digital systems.  

Memory-safe hardware and formal methods are complementary approaches to achieve similar outcomes in certain situations, such as in space systems.

Formal Methods

Formal methods are mathematical techniques used to prove the correctness of software, ensuring it meets specific security requirements.  By incorporating formal methods into the development process, software developers can detect faults early and reduce vulnerabilities in their code.  These methods can be applied throughout the software development lifecycle, offering a powerful tool to enhance software security and reliability.  By automating mathematical proofs during software building and testing, developers can verify security conditions and use secure software components, minimizing the risk of vulnerabilities.  Despite formal methods being studied for decades, their widespread adoption requires further innovation to make them more accessible to developers.  

From the Report:  “Even if engineers build with memory-safe programming languages and memory-safe chips, one must think about the vulnerabilities that will persist even after technology manufacturers take steps to eliminate the most prevalent classes. Given the complexities of code, testing is a necessary but insufficient step in the development process to reduce vulnerabilities at scale fully. Suppose correctness is defined as the ability of a piece of software to meet a specific security requirement. In that case, it is possible to demonstrate correctness using mathematical techniques called formal methods. These techniques, often used to prove a range of software outcomes, can also be used in cybersecurity and are viable even in complex environments like space. While formal methods have been studied for decades, their deployment remains limited; further innovation in approaches to make formal methods widely accessible is vital to accelerate broad adoption. Doing so enables formal methods to serve as another powerful tool to give software developers greater assurance that entire classes of vulnerabilities, even beyond memory safety bugs, are absent.

While several types of formal methods span a range of techniques and stages in the software development process, this report highlights a few specific examples.

Sound static analysis examines the software for specific properties without executing the code…This method is effective because it can be used across many representations of software, including the source code, architecture, requirements, and executables.

Model checkers can answer questions about several higher-level properties…These algorithms can be used during production; however, they are limited in their scaled use due to their computational complexity.

Assertion-based testing is a formal statement of properties carried in the code that may be used to cross-check the code during testing or production.  These generated proofs allow for faults to be detected much earlier and closer to the erroneous code, rather than tracing back from externally visible systems failures.

There are two ways software engineers can use these techniques across software and hardware.

1. First, formal methods can be incorporated directly into the developer toolchain. As the programmer builds, tests, and deploys software, the compiler can automate these mathematical proofs and verify that a security condition is met. 
2. Additionally, the developer can use formally verified core components in their software supply chain.  By choosing provably secure software libraries, developers can ensure the components they are using are less likely to contain vulnerabilities.  Formal methods can be incorporated throughout the development process to reduce the prevalence of multiple categories of vulnerabilities. Some emerging technologies are also well-suited to this technique.”

For the full report, including Part III:  Addressing the Software Measurability Problem, see  Back to the Building Blocks: A Path Toward Secure and Measurable Software. 

What Next? 

“These efforts will be bold, long-term endeavors that require sustained focus and prioritization. Now is the time to begin this work.” 

The report concludes with a call to action directed at the technical community by the ONCD on behalf of the Executive Branch:

“As questions arise about the safety or trustworthiness of a new software product, formal methods can accelerate market adoption in ways that traditional software testing methods cannot. They allow for proving the presence of an affirmative requirement, rather than testing for the absence of a negative condition.  While memory-safe hardware and formal methods can be excellent complementary approaches to mitigating undiscovered vulnerabilities, one of the most impactful actions software and hardware manufacturers can take is adopting memory-safe programming languages. They offer a way to eliminate, not just mitigate, entire bug classes. This is a remarkable opportunity for the technical community to improve the cybersecurity of the entire digital ecosystem.

The challenge of eliminating entire classes of software vulnerabilities is an urgent and complex problem.   Looking forward, new approaches must be taken to mitigate this risk:

1. The technical community is critical to this progress. Through the adoption of memory-safe programming languages, creators of software and hardware can better secure the building blocks of cyberspace and proactively eliminate entire classes of bugs.
2. By rallying around the hard and complex problem of software measurability, the research community can develop better cybersecurity quality metrics to incentivize better decision-making by consumers, manufacturers, and policymakers across the ecosystem.   

These efforts will be bold, long-term endeavors that require sustained focus and prioritization. Now is the time to begin this work.”  

Further OODA Loop National Cybersecurity Strategy Scenarios

The future of the National Cybersecurity Strategy, in conjunction with the evolution of memory safety vulnerabilities, memory-safe programming languages, memory-safe hardware, and formal methods, remains promising but pragmatically daunting. Let’s dissect these components with a discerning eye toward their potential trajectories and interdependencies: 

• The National Cybersecurity Strategy, as we’ve seen, is increasingly recognizing the importance of collaboration between the government and the private sector to address the dynamic and sophisticated nature of cyber threats. This trend is likely to continue and expand, with future strategies potentially emphasizing not just collaboration but also the integration of advanced technological solutions to enhance national cybersecurity posture. In contemplating these future scenarios, it becomes evident that the integration of memory-safe programming languages and memory-safe hardware into an organization’s cybersecurity strategy could significantly impact its resilience against cyber threats.
• Memory safety vulnerabilities have been at the heart of numerous cybersecurity incidents, underscoring the critical need for more secure programming practices. The ONCD acknowledgment that memory-safe programming languages can eliminate a class of defects that have plagued software development for decades is a significant step forward.  In the future, we might see a strategic push, possibly endorsed or mandated by national cybersecurity policies, for the adoption of these languages in critical infrastructure and sensitive applications. This could be coupled with incentives for education and training programs to equip the next generation of developers with the skills needed to effectively utilize these languages.
• Formal methods, while traditionally seen as academically rigorous but practically challenging, are gaining traction as a viable approach to verifying the security properties of software and hardware systems. As the complexity of cyber threats grows, the precision and reliability offered by formal methods could become increasingly valuable. Future strategies might encourage research and development efforts aimed at making formal methods more accessible and applicable to a broader range of technologies, thereby elevating the overall security posture of digital systems.
• The evolution of memory-safe hardware is another critical piece of the puzzle. The incorporation of architectural features that enable fine-grained memory protection, as described by initiatives like CHERI, represents a promising direction for making computing systems inherently more secure. 

Capability Hardware Enhanced RISC Instructions (CHERI) 

CHERI, which stands for Capability Hardware Enhanced RISC Instructions, represents a groundbreaking shift in the paradigm of computing architecture, particularly to enhance security through hardware innovations.   Born from a collaboration that includes the University of Cambridge, SRI International, and others, under the auspices of a DARPA program, CHERI seeks to fundamentally alter how memory access and management are handled by computing systems.  

At its core, CHERI introduces the concept of capabilities for memory access. Unlike traditional pointers, which can be freely manipulated and, therefore, exploited by malicious actors to execute attacks such as buffer overflows, CHERI’s capabilities restrict how memory can be accessed or modified. These capabilities are essentially tokens or keys that grant specific permissions to access certain memory regions, with the crucial twist that these permissions can be narrowed but never expanded. This design principle ensures that even if a piece of software is compromised, the damage it can do is severely limited by the capabilities it has been granted. 

The implications of CHERI for cybersecurity are profound. By rethinking memory access at the hardware level, CHERI aims to mitigate a wide array of vulnerabilities that have historically been a thorn in the side of software security. For instance, the integration of CHERI into ARM’s Morello boards is a tangible step towards realizing this vision, offering a platform for developers and researchers to explore and validate the security benefits of capability-based computing.    The potential of CHERI to render a significant percentage of traditional memory safety vulnerabilities inert is not just theoretical. Analysis of bug reports to Microsoft’s Security Center revealed that with CHERI, a substantial proportion of vulnerabilities could have been completely neutralized, highlighting the practical value of this approach in enhancing cybersecurity resilience.

In essence, CHERI represents a bold reimagining of computing architecture with security at its heart. It’s a testament to the fact that as we continue to grapple with the complexities of digital security, innovative solutions that rethink fundamental principles can offer a path forward.  Future cybersecurity strategies could advocate for the widespread adoption of such hardware innovations, particularly in sectors deemed critical to national security and economic stability. This would not only enhance the resilience of these sectors to cyber attacks but also set a benchmark for secure-by-design in hardware development.

NOTE:  This OODA Loop Original Analysis was partially generated with the cognitive augmentation of and in collaboration with ALTzero Project – MattGPT.

Additional OODA Loop Resources

An Overview of the NIST Cybersecurity Framework 2.0:  The NIST Cybersecurity Framework (CSF) 2.0, an evolution of its predecessor, is a comprehensive guide designed to assist organizations across various sectors in managing and mitigating cybersecurity risks effectively. This framework, while not prescribing specific actions, offers a taxonomy of high-level cybersecurity outcomes, enabling organizations, regardless of their size, sector, or maturity, to better understand, assess, prioritize, and communicate their cybersecurity efforts.  This post is a summary of the NIST CSF 2.0. 

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate their methods of data collection, assessment, and decision-making processes. For more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning