Home

Awesome

OpenSSF Memory Safety Special Interest Group (SIG)

The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4.

Motivation

Memory safety vulnerabilities, caused by mistakes in memory management, are common in unsafe programming languages like C and C++.This type of vulnerability is responsible for a majority of security breaches, with estimates from Microsoft and Google showing that up to 70% and 90% of vulnerabilities in their products, respectively, are memory safety vulnerabilities.

Memory safe languages like Rust, Go, JavaScript, and Java are less prone to these types of errors. The consequences of these vulnerabilities are not just technical, but can result in significant financial losses and invasion of personal data and privacy. A recent analysis by Google Project Zero showed that 67% of vulnerabilities exploited in the wild were due to a lack of memory safety, making it a critical issue that needs to be addressed in software development.

Objective

Vision: Eliminate memory safety vulnerabilities (in Open Source Software (OSS).

Mission: Understand and reduce memory safety vulnerabilities in OSS.

Scope

Develop pragmatic guidance, standards, and software (including tools, tool improvements, and rewrites), along with advocating such changes, to systematically reduce memory safety vulnerabilities through the use of memory-safe programming languages and techniques, all informed by real-world data and risks.

Prior Work

Get Involved

Quick Start

Meeting times

Governance

The CHARTER.md outlines the scope and governance of our group activities.

SIG Maintainers

SIG Collaborators

Intellectual Property

In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:

  1. Software source code

    • Apache License, Version 2.0, available here;
  2. Data

    • Any of the Community Data License Agreements, available here;
  3. Specifications

    • Community Specification License, Version 1.0, available here
  4. All other Documentation

    • Creative Commons Attribution 4.0 International License, available here