Most software is written in unsafe languages such as C and C++ in which buffer overflows, format string vulnerabilities, and other vulnerabilities are possible and can be exploited by attackers such that a security or privacy violation is possible. Even programs written in type-safe languages have libraries and runtimes written in unsafe languages. Therefore, current software is vulnerable to a variety of attacks and it is likely to remain vulnerable in the foreseeable future.
The majority of such software attacks exploit software vulnerabilities or flaws to write data to unintended locations. For example, control-data attacks exploit buffer overflows or other vulnerabilities to overwrite a return address in the stack, a function pointer, or some other piece of control data. Non-control-data attacks exploit similar vulnerabilities to overwrite security critical data without subverting the intended control flow in the program. Non-control-data attacks are thought to be less frequent than control-data attacks but they are equally serious and at present no good defenses against them are known.
Previously it has been proposed to use memory-safe dialects of C that prevent software attacks. However, these approaches require existing C code to be ported to these dialects which is a non-trivial task and significant changes to the C runtime occur.
Other known approaches can be applied to existing programs but these typically cannot defend against non-control-data attacks and/or have false positives and incur a very high overhead without hardware support.