Quantifying Memory Unsafety and Reactions to It

Wednesday, February 03, 2021 - 9:50 am10:20 am

Alex Gaynor, Alloy, Fish in a Barrel


The fact that C and C++ are not memory safe, leading to vulnerability classes such as use-after-free and buffer-overflow is not new. However, these languages remain in exceptionally wide use, even for new projects. For several years, Fish in a Barrel has been attempting to quantify how common memory-unsafety induced vulnerabilities are in major projects, and researching what tactics are effective at convincing developers to reconsider C and C++.

This talk presents our results: we show the empirical data which leads us to the conclusion that C and C++ are not tenable for modern secure development, including statistics across a large swath of projects. We also present what we've learned about how developers respond to this fact, in the frame of the Five Stages of Grief.

Alex Gaynor, Alloy, Fish in a Barrel

Alex is a software security engineer. He's a founder and principal at Fish in a Barrel, working on systemic solutions to classes of vulnerabilities. By day he's Chief Information Security Officer at Alloy, and previously of Mozilla and the United States Digital Service. Alex has a long history of contribution in open source, from building a JIT'd Ruby VM to serving on the Board of Directors of the Python Software Foundation. Alex lives in Washington, DC.

@conference {264140,
author = {Alex Gaynor},
title = {Quantifying Memory Unsafety and Reactions to It},
year = {2021},
address = {Oakland, CA},
publisher = {{USENIX} Association},
month = feb,