Google’s balanced path: memory safety without discarding C and C++

Google is taking a two-pronged approach to make programming code safer: embracing memory-safe languages while simultaneously fortifying older, memory-unsafe ones like C and C++. As Google pushes for modern security, it also acknowledges the massive presence of legacy code that won’t disappear anytime soon.

While languages like Rust, Java, and Go offer strong memory safety features, Google knows C and C++ will persist for decades. Instead of rewriting everything, the tech giant focuses on making these older languages more secure through strategies like bounds-checking, sandboxing, and advanced isolation techniques.

As memory safety vulnerabilities account for 75% of zero-day exploits and 70% of severe codebase vulnerabilities, Google’s efforts are crucial. Projects such as Chrome’s MiraclePtr, which has reduced use-after-free bugs by 57%, and tools like Project Naptime, an AI-based vulnerability hunter, show their commitment to reducing risks.

However, Google isn’t alone in addressing these challenges. Industry initiatives, like the Open Source Security Foundation’s hardening guide for C and C++, and new C++ extensions, aim to make unsafe languages more secure. Even C++ creator Bjarne Stroustrup has suggested Safety Profiles to ensure certain safety guarantees.

While memory-safe languages are the future, Google’s pragmatic approach recognizes the enduring importance of C and C++. By balancing innovation with hardening legacy code, Google is paving the way for a more secure coding landscape without discarding its foundation.