White House PRESS RELEASE: Future Software Should Be Memory Safe

Interesting to see this press release coming from the White House. The linked report mentions Rust:

Rust, one example of a memory safe programming language, has the three requisite properties above, but has not yet been proven in space systems.

8 Likes

The report is much broader than just "use Rust", and generally seems sensible.

9 Likes

My favorite 2023 conspiracy theory was that the Rust Foundation is lobbying the US government to only allow "memory safe" languages. "Big Borrow-Checker", if you will.

This press release will breathe new life into this conspiracy theory, and I'm here for it.

7 Likes

Funny that, I was just wondering about who was writing and promoting this, after all it can't be all Biden's idea, despite what it says in the paper. I started to think it was the likes of Microsoft and AWS etc that were doing this lobbying for safer software. After all they are investing and putting effort into Rust and such like and they have been publishing statistics about the relation between security issues and memory unsafely.

It's makes a great marketing point for our little startup. We are working in somewhat safety critical areas and with clients that fuss about privacy and security. We have been using Rust for four or five years now. So this kind of paper is good support for us.

3 Likes

The NSA has been very active in the last few years publishing advisory and guidance on software security-related subjects.

Call me schizofrenic, but I would bet that this came from national security agencies, and not from Biden.

7 Likes

If it doesn't, it really should. The biggest issue with Rust is the lack of jobs, and government-enforced quality controls would be a great way to push the industry in the direction of Rust.

3 Likes

My money is on the NSA driving this.
The context for that is the many attacks on Western companies, infrastructure┬╣ and politics┬▓ in recent years, and the NSA's mandate is nominally protecting the security of the USA federation after all.
Essentially its just business as usual, except this happens to get more face time with the public.

Couple with that the fact that the big push won't come from industry as a whole┬│, and at least to me they're the obvious actor behind this (very welcome IMO) push.

All this to say, the NSA is motivated to do something about the software vulnerability problem.

┬╣ Not too long ago there was mention of suspected Chinese state actors having implanted a malware bomb into electrical grids about 7 or 8 years ago, with intent of detonation in the event of war. That would mean millions of people out of power for an extended period of time, with malaise, and thus social discontent, as well as the accompanying threat to the then-POTUS' power.
┬▓ Russian-linked actors. Need I say more?
┬│ Mainly small and mid sized companies, because from their POV the investment would outweigh the benefits and risks given the current laws around software security. The economics of the behemoths like MS, Amazon and Apple are different because there it favors rapid uptake of free tools that reduce liability on their part.

2 Likes

ONCD (the office behind this press release) previously solicited industry feedback on the topic, and the Rust Foundation was one of the respondents. Here's the zulip discussion and the foundation's response.

10 Likes

The ONCD web page on this topic describes it as a complementary effort to those of a collection of 3-and-4-letter agencies.

2 Likes