After analyzing nearly 10 years of CVEs, Google researchers calculated that at least 40% of safety exploits in C++ were related to spatial memory exploits like writing to an out-of-bounds memory location.

Google researchers showed they were able to “retrofit” spatial safety onto their C++ codebases, and to do it with a surprisingly low impact on performance. They used straightforward strategies such as bounds checking buffers and data structures – as is done in other languages and released a new, safer Hardened libc++. 

The results show up in this chart of segfaults across the entire fleet of computers before and after using the improvements. Their internal red team testing results were also much improved, uncovered over 1000 bugs and likely prevent 1000-2000 new bugs each year based on current development rate.

Here’s a blog post about their results.

Articles:

• https://thenewstack.io/google-retrofits-spatial-memory-safety-onto-c/
• https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html