Quantifying Memory Unsafety and Reactions to It

Note: Presentation times are in Pacific Standard Time (PST).

Wednesday, February 03, 2021 - 9:20 am9:50 am

Alex Gaynor, Fish in a Barrel


The fact that C and C++ are not memory safe, leading to vulnerability classes such as use-after-free and buffer-overflow is not new. However, these languages remain in exceptionally wide use, even for new projects. For several years, Fish in a Barrel has been attempting to quantify how common memory-unsafety induced vulnerabilities are in major projects, and researching what tactics are effective at convincing developers to reconsider C and C++.

This talk presents our results: we show the empirical data which leads us to the conclusion that C and C++ are not tenable for modern secure development, including statistics across a large swath of projects. We also present what we've learned about how developers respond to this fact, in the frame of the Five Stages of Grief.

Alex Gaynor, Alloy, Fish in a Barrel

Alex is a software security engineer. He's a founder and principal at Fish in a Barrel, working on systemic solutions to classes of vulnerabilities. He's previously been Chief Information Security Officer at Alloy and an engineer at Mozilla and the United States Digital Service. Alex has a long history of contribution in open source, from building a JIT'd Ruby VM to serving on the Board of Directors of the Python Software Foundation. Alex lives in Washington, D.C.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {264140,
author = {Alex Gaynor},
title = {Quantifying Memory Unsafety and Reactions to It},
year = {2021},
publisher = {USENIX Association},
month = feb

Presentation Video