The drop in Android's memory safety vulnerabilities is astonishing. It's counterintuitive, but prioritizing memory-safe languages in new code quickly reduces memory-safety risks. Once we turn off the tap of new vulnerabilities, they start decreasing exponentially.
Jeff Vander Stoep @jeffvanderstoep
25 Sep 2024
I’m super excited about this blogpost. The approach is so counterintuitive, and yet the results are so much better than anything else that we’ve tried for memory safety. We finally understand why. security.googleblog.com/2024…

Sep 25, 2024 · 5:47 PM UTC

2
3
1
35
Replying to @ayper
Cool result. It seems both crazy and perfectly logical. What's the half-life used in the simulation? The foot note says the average lifetime is 2.5 years, does that mean the half-life is only 2.5y * ln(2) = 1.7y?
1
Thanks :) And yep, ~1.7y would be the half life in the simulation based on the 2.5y average lifetime.
2
Replying to @ayper
How is it counterintuitive that prioritizing memory-safe languages in new code reduces memory-safety risks?
1
Because the risk reduction far outweighs what one would expect from the % of memory-safe code. Android has *more* memory-unsafe code than it did in 2019, and yet, it has almost an order of magnitude fewer memory safety vulns.
1
more replies
Load more