Awesome

OpenSSF Memory Safety Special Interest Group (SIG)

The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4.

Motivation

Memory safety vulnerabilities, caused by mistakes in memory management, are common in unsafe programming languages like C and C++.This type of vulnerability is responsible for a majority of security breaches, with estimates from Microsoft and Google showing that up to 70% and 90% of vulnerabilities in their products, respectively, are memory safety vulnerabilities.

Memory safe languages like Rust, Go, JavaScript, and Java are less prone to these types of errors. The consequences of these vulnerabilities are not just technical, but can result in significant financial losses and invasion of personal data and privacy. A recent analysis by Google Project Zero showed that 67% of vulnerabilities exploited in the wild were due to a lack of memory safety, making it a critical issue that needs to be addressed in software development.

Objective

Vision: Eliminate memory safety vulnerabilities (in Open Source Software (OSS).

Mission: Understand and reduce memory safety vulnerabilities in OSS.

Scope

Develop pragmatic guidance, standards, and software (including tools, tool improvements, and rewrites), along with advocating such changes, to systematically reduce memory safety vulnerabilities through the use of memory-safe programming languages and techniques, all informed by real-world data and risks.

Prior Work

• N/A

Get Involved

• Official communications occur on the openssf-sig-memory-safety@lists.openssf.org.
  Manage your subscriptions to Open SSF mailing lists.
• Memory Safety SIG Slack

Quick Start

• Areas that need contributions
• Review of the Proposed Stream #4 Mobilization Plan
• File issues

Meeting times

• Every other Thursday @ 13:00am EST. The invite is available on the OpenSSF Community Calendar.
• Meeting Minutes

Governance

The CHARTER.md outlines the scope and governance of our group activities.

• Lead name: Nell Shamrell-Harrington
• Co-Lead name: Avishay Balter, Microsoft

SIG Maintainers

• Christopher "CRob" Robinson, Intel
• David A Wheeler, LF/OSSF

SIG Collaborators

• Jay White, Microsoft
• Gabriel Dos Reis (Microsoft)
• Charles Palmer (IBM)
• David Edelsohn (IBM)
• Walter Pearce
• Josh Aas (he/him, ISRG/Prossimo)
• Jonathan Leitschuh (he/him) OpenSSF
• Christine Abernathy, F5
• Randall T. Vasquez, Gentoo/Homebrew

Intellectual Property

In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:

1. Software source code

   • Apache License, Version 2.0, available here;

2. Data

   • Any of the Community Data License Agreements, available here;

3. Specifications

   • Community Specification License, Version 1.0, available here

4. All other Documentation

   • Creative Commons Attribution 4.0 International License, available here