search

coreinfrastructure / best-practices-badge

🏆Open Source Security Foundation (OpenSSF) Best Practices Badge (formerly Core Infrastructure Initiative (CII) Best Practices Badge)
https://www.bestpractices.dev
MIT License
1.2k stars 203 forks source link

new SHOULD badging criteria in gold for memory-safe language usage? #2160

Open TonyLHansen opened 2 weeks ago

TonyLHansen commented 2 weeks ago

There are some reports recently (June 2024 and Dec 2023) published on memory safe code by Cybersecurity and Infrastructure Security Agency (CISA), and others:

joint-guidance-exploring-memory-safety-in-critical-open-source-projects-508c.pdf, The-Case-for-Memory-Safe-Roadmaps-508c.pdf

Should we have some information on memory safe languages as part of the badging criteria?

One possibility would be the addition of a gold-level SHOULD question asking if a memory safe language is being used.

david-a-wheeler commented 2 weeks ago

We definitely want to encourage the use of memory-safe languages, but mandating them seems too far. Even for gold.

In particular, today trying to create a performant kernel in a language other than C or C++ is applied research. There have been commercial-grade operating systems written Ada (Biin), PL/1 (e.g., CP/M), and Lisp (Symbolics), but that's not something that's normally done in the last 20 years. The Linux kernel developers are working to make it possible to write device drivers in Rust, and there are definitely discussions on doing more. I think they will eventually succeed. However, this effort is resulting in changes to the Rust language and implementation, which means it's an effort in transition. So it's challenging to do in some cases. This would make gold unattainable for practical kernels & many other IoT devices.

The costs also make this very hard. I did a quick estimate of the costs to rewrite all C and C++ code, and came up with about $2.4 trillion (USD). I don't have that in my back pocket.

Don't get me wrong, I think it's good to encourage memory-safe languages. I'm not sure this is the right way to do it, though, at least at the "gold" level.

If we want to put it in a level at all, there's possible variation. We had discussed creating a fourth "platinum" level where there is 100% review of all changes. I could see "use memory-safe language" in the platinum level, if we were going to do that. Then "platinum" would have multiple criteria & they'd be plausible in some circumstances.

TonyLHansen commented 2 weeks ago

This is why I said "SHOULD" and not "MUST". It'd be a recommendation and not a mandate.

And yes, all of the SHOULDs in the current gold level are fodder for MUSTs in a hypothetical platinum level.