Skip to content

Commit

Permalink
additions to the memory safety continuum
Browse files Browse the repository at this point in the history
Signed-off-by: Nell Shamrell <nellshamrell@gmail.com>
  • Loading branch information
nellshamrell committed Apr 27, 2024
1 parent 935898d commit 58a9e7a
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion docs/memory-safety-continuum.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,14 @@ Examples:
* Following the [C++ Core Guidelines](https://github.com/isocpp/CppCoreGuidelines) when writing C++
* Using the [C++ Compiler Hardening Guide](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Compiler-Hardening-Guides) when compiling C++ code
* Isolating code that processes un-trusted data from code that performs direct memory management operations or uses raw pointers (see [Language-theoretic Security](https://github.com/ossf/Memory-Safety/pull/20))
* Use [smart pointers](https://learn.microsoft.com/en-us/cpp/cpp/smart-pointers-modern-cpp?view=msvc-170)

### Using a non-memory safe by default language with developer best practices and automated tooling to check for memory safety in first party code

TO DO
* [Using compiler options for hardening C and C++ Code](https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html)
* Use a fuzzer such as [syzkaller](https://github.com/google/syzkaller)
* Use [sanitizers](https://github.com/google/sanitizers)
* Use tools to [detect dangling pointers](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/dangling_ptr.md)

### Using a non-memory safe by default language with developer best practices and automated tooling to check for memory safety in first party code AND automated tooling to check for memory safety in third party code (dependencies)

Expand All @@ -63,13 +67,15 @@ Examples:
* Following the [Rustnomicon](https://doc.rust-lang.org/nomicon/intro.html) careful practices when using unsafe blocks in Rust
* Following best practices (LINK NEEDED) when using the Go [unsafe](https://pkg.go.dev/unsafe#pkg-overview) package
* Following [Javascript Memory Management](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Memory_management) practices
* Ensure [soundness](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) of unsafe Rust code

### Using a memory safe by default language with developer best practices and automated tooling to check for memory safety in first party code

Examples:

* Using the [Go Data Race Detector](https://go.dev/doc/articles/race_detector)
* Using other tools such as [govulncheck, fuzzing, and vet](https://go.dev/doc/security/best-practices) when writing Go code
* Using a mutation tester such as [cargo-mutants](https://github.com/sourcefrog/cargo-mutants)

### Using a memory safe by default language with developer best practices and automated tooling to check for memory safety in first party code AND third party code

Expand Down

0 comments on commit 58a9e7a

Please sign in to comment.