The Memory Safety Crisis: Understanding the Risks in Embedded Software

Posted on April 9, 2024
Author: RunSafe Security

Table of Contents:

Introduction to Memory Safety

Risks of Memory Vulnerabilities in Embedded Software

Challenges of Addressing Memory Safety

RunSafe’s Innovative Approach to Memory Safety

Software Supply Chain Security with RunSafe

Ensuring Security in Embedded Systems, ICS, and OT

Practical and Cost-Effective Memory-Based
Vulnerability Protection

The Memory Safety Crisis: Understanding the Risks in Embedded Software

Introduction to Memory Safety

Memory safety is a foundational aspect of software development, ensuring that programs operate reliably and securely without accessing or manipulating memory incorrectly. In embedded systems, where software controls critical functions such as transportation systems or power grids, the importance of memory safety cannot be overstated. 

The National Security Agency (NSA) has issued guidance emphasizing the severity of such vulnerabilities, prompting major tech companies like Google and Microsoft to underscore their prevalence. Likewise, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an implementation plan to fortify and defend the digital landscape. 

This blog post delves into the risks posed by memory vulnerabilities in embedded software, the challenges in addressing them, and how embedded software security solutions like RunSafe Security can enhance memory safety without extensive code rewrites or performance degradation.

Risks of Memory-Based Vulnerabilities in Embedded Software 

Memory safety in embedded software is not just a concern, it’s a substantial and pressing threat to software deployed within critical infrastructure. This concern is further amplified by the NSA’s recent guidance in November 2022, which underlines the gravity of the risk posed by memory-based vulnerabilities. These vulnerabilities have the potential to compromise the integrity and security of essential systems, a risk that cannot be ignored. 

A similar analysis from MITRE reveals a sobering reality: three of the top eight most dangerous software weaknesses are memory safety issues. Google and Microsoft echo these concerns, reporting that nearly 70% of their vulnerabilities in native code stem from memory-based flaws. 

The NSA’s recommendation, a fast transition to memory-safe alternatives like Go, Java, Ruby, Rust, and Swift, highlights the situation’s urgency. However, the monumental task of rewriting code for memory safety means touching billions of lines of code across countless code bases and products. This presents significant challenges to any organization, both in terms of financial investment and opportunity cost.

Get a Free SBOM

Challenges of Addressing Memory Safety

Traditionally, the recommended approach to addressing memory safety in embedded software has been rewriting code in languages like Rust, which is known for its memory safety features. However, rewriting billions of lines of code across numerous code bases and products entails significant costs and time investments. Moreover, this may disrupt existing workflows and introduce unnecessary complexities into development processes.

RunSafe’s Innovative Approach to Memory Safety

RunSafe Security presents a pioneering solution in contrast to conventional methods, providing organizations with the capability to attain memory safety without requiring extensive code alterations or sacrificing performance. Utilizing its cutting-edge technology, RunSafe employs a method of hardening code by randomizing the placement of functions in memory, ensuring a unique memory layout for each binary during runtime. 

By embedding protective measures directly into the software during the build process, RunSafe effectively addresses memory-based vulnerabilities while maintaining system performance. This approach offers a practical and economically viable alternative to traditional security measures, mitigating the risk of exploitation without imposing significant overhead on operations. 

Moreover, RunSafe seamlessly integrates with continuous integration and continuous delivery (CI/CD) pipelines, streamlining the incorporation of enhanced security measures into the software supply chain. This integration ensures that developers can maintain their productivity while simultaneously fortifying the security of their applications, significantly improving the resilience of deployed software against potential threats.

Software Supply Chain Security with RunSafe

By implementing RunSafe technology within CI/CD pipelines, organizations gain the capability to reinforce proprietary software compiled internally or by suppliers, alongside deploying hardened iterations of incorporated open-source components. Leveraging RunSafe’s CI integrations with GitLab and GitHub, customers can automate SBOM generation, and integrate security measures at build time—all without compromising developer efficiency or system performance.

Ensuring Security in Embedded Systems, ICS, and OT

Securing operational technology (OT), industrial control systems (ICS), and other critical embedded systems poses distinctive challenges. Yet, RunSafe’s technology adeptly tackles these obstacles by thwarting memory-based attacks, and safeguarding embedded software during runtime without imposing undue administrative burdens.

Through our automated tool, protective measures are integrated at the software build stage, and activated during deployment to fortify embedded software during runtime. Our extensive deployment experience spans across a myriad of devices, ranging from firmware on servers to interoperability software facilitating communication between electric vehicle charging stations and the energy grid, as well as software employed in industrial automation facilities.

In addition to this, RunSafe’s technology can be integrated into DevSecOps workflows, ensuring that security measures are applied consistently throughout the development process and across development teams. By incorporating protections at the build stage, organizations can mitigate vulnerabilities early in the software development lifecycle, reducing the risk of exploitation in production environments.

RunSafe’s compatibility is not limited by operating system or instruction set. RunSafe products are compatible across various operating systems (such as LynxOS, VxWorks, Linux, Android, QNX and several other iterations) and most instruction sets (Intel, ARM (32 and 64), Power PC, and additional instruction sets). This versatility ensures that organizations across diverse sectors can confidently leverage RunSafe’s technology to enhance the security posture of their embedded systems, knowing that it can adapt to their specific needs.

Practical and Cost-Effective Memory-Based Vulnerability Protection

The imperative to address memory safety in embedded software is a critical issue that demands immediate attention. RunSafe Security offers a practical and cost-effective solution to this problem, allowing organizations to strengthen their software against memory-based vulnerabilities without the need for extensive code rewrites or performance sacrifices. 

As the threat landscape evolves, embracing innovative approaches like RunSafe Security becomes essential for safeguarding critical infrastructure and ensuring the resilience of embedded systems. 

Take charge of your organization’s memory safety today in your software deployments and mitigate the risks posed by memory-based vulnerabilities with RunSafe Security.

Immunize your vulnerabilities with RunSafe

RunSafe Security’s 2025 Product Security Predictions

RunSafe Security’s 2025 Product Security Predictions

Product security has come a long way since  the early 2000s to the current iterations we’re seeing today. From CISA’s focus on Secure by Design to the growing emphasis on software supply chain security, software manufacturers, software buyers, and regulatory...

read more