There are some ideas that have been around for some 50 years.
In "Hints on Programming Language Design", published in 1974, Tony Hoare said "Finally, it is absurd to make elaborate security checks on debugging runs, when no trust is put in the results, and then remove them in production runs, when an erroneous result could be expensive or disastrous. What would we think of a sailing enthusiast who wears his life-jacket when training on dry land but takes it off as soon as he goes to sea?" He was referring to subscript checking.
I did some work on a FORTRAN program in 1982, that had a habit of crashing if one or another internal table overflowed. The compiler documentation said the compiler could do subscript checking. The documentation lied. I wound up having to put explicit subscript checks on every table, and add run-time error messages that told the user "Table blah overflowed. Increase such-and-such named constant and recompile." It was all I could do, and it took me literally 160 hours of staring at FORTRAN code to understand it well enough to be able to do that much. That code had ISSUES.
The early capability machines were designed around, among other things, a very basic concept: EVERY array reference was checked by hardware. It was not possible to disable this feature. That makes "buffer overflow" vulnerabilities 100% impossible.
Later in the 1970s, Charles Hoch wrote a short paper, showing how the memory mapping hardware on higher-end PDP-11 minicomputers could be perverted to do basically the same thing.
A paper on an early PASCAL compiler mentioned that, if the programmer was reasonably conscientious about specifying the bounds for arrays and variables, the compiler could usually prove at compile-time that an array subscript expression could not go out of range, and hence eliminate the run-time range check. I don't have a URL for this one. I saw it in a book that collected several otherwise-unavailable early papers, including two of Urs Ammann's papers on the original PASCAL compilers written at ETH Zurich for the CDC 6400. For this to work, of course, it has to be possible in the language to specify those bounds, and "modern" languages (C, C++, Java, and the like) don't provide that capability.
Yet, when the Ada programming language came out, for which the first draft required subscript checking to be enabled by default, the very first thing that the "professional" programmers in the United States demanded was the ability to disable it, because of "performance" concerns.
As long as it is fashionable to let programmers do anything they want, and rely on them not to make a mess of it (as the late Edsger W. Dijkstra was fond of saying), we are going to have problems. As long as we pretend that C and C++ are good languages, and Windows is a good operating system, we will continue to get what we deserve, and we will generally, as Jerry Pournelle used to say, get it good and hard.
References:
http://flint.cs.yale.edu/cs428... fo
https://homes.cs.washington.ed...
https://dl.acm.org/doi/10.1145...