The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4.
Memory safety vulnerabilities, caused by mistakes in memory management, are common in unsafe programming languages like C and C++.This type of vulnerability is responsible for a majority of security breaches, with estimates from Microsoft and Google showing that up to 70% and 90% of vulnerabilities in their products, respectively, are memory safety vulnerabilities.
Memory safe languages like Rust, Go, JavaScript, and Java are less prone to these types of errors. The consequences of these vulnerabilities are not just technical, but can result in significant financial losses and invasion of personal data and privacy. A recent analysis by Google Project Zero showed that 67% of vulnerabilities exploited in the wild were due to a lack of memory safety, making it a critical issue that needs to be addressed in software development.
Vision: Eliminate memory safety vulnerabilities (in Open Source Software (OSS).
Mission: Understand and reduce memory safety vulnerabilities in OSS.
Develop pragmatic guidance, standards, and software (including tools, tool improvements, and rewrites), along with advocating such changes, to systematically reduce memory safety vulnerabilities through the use of memory-safe programming languages and techniques, all informed by real-world data and risks.
- N/A
- Official communications occur on the openssf-sig-memory-safety@lists.openssf.org.
Manage your subscriptions to Open SSF mailing lists. - Memory Safety SIG Slack
- Areas that need contributions
- Review of the Proposed Stream #4 Mobilization Plan
- File issues
- Every other Thursday @ 13:00am EST. The invite is available on the OpenSSF Community Calendar.
- Meeting Minutes
The CHARTER.md outlines the scope and governance of our group activities.
- Lead name: Nell Shamrell-Harrington
- Co-Lead name: Avishay Balter, Microsoft
- Walter Pearce
- Randall T. Vasquez, Gentoo/Homebrew
- Jay White, Microsoft
- Christine Abernathy, F5
- Gabriel Dos Reis (Microsoft)
- Josh Aas (he/him, ISRG/Prossimo)
- Jonathan Leitschuh (he/him) OpenSSF
In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:
-
Software source code
- Apache License, Version 2.0, available here;
-
Data
- Any of the Community Data License Agreements, available here;
-
Specifications
- Community Specification License, Version 1.0, available here
-
All other Documentation
- Creative Commons Attribution 4.0 International License, available here