Whether you run IT for a large organization or simply owning a smartphone, you’re all too familiar with the constant stream of software updates that need to be installed because of bugs and security holes. People make mistakes, so the code is bound to contain mistakes — you get it. But the movement to write software in a language called Rust is growing because the code is bug-resistant in an important way. By design, developers cannot accidentally create the most common types of exploitable vulnerabilities when they code in Rust, a distinction that could make a big difference in the parade. daily patching and finally the basic cybersecurity of the world.
Programming languages have fads and new languages come and go, often with no lasting impact. Now 12 years old, Rust has taken the time to grow from a Mozilla researcher’s side project into a robust ecosystem. Meanwhile, the predecessor language C, still widely used today, turns 50 this year. But since Rust produces safer code and, importantly, doesn’t degrade the performance of it, the language has slowly gained a lot of followers and is now at a turning point. Microsoft, Google, and Amazon Web Services have all used Rust since 2019, and the three have established nonprofits Rust Foundation with Mozilla and Huawei in 2020 to maintain and develop this language. And after a few years of intensive work, the Linux kernel take the first steps last month to roll out Rust support.
“It’s spreading like a language,” said Dave Kleidermacher, Android’s vice president of engineering for security and privacy. “We’ve been investing in Rust on Android and on Google, and a lot of engineers are like, ‘how do I start doing this? That’s great.’ And Rust has only just landed for the first time as an officially recognized and accepted language in Linux, so it’s not just Android, but any Linux-based system can now start incorporating. Rust components. “
Rust is known as a “memory-safe” language because it is designed so that programs cannot inadvertently pull unwanted data from the computer’s memory. When programmers use solid languages that don’t have this property, including C and C++, they must carefully examine the parameters of the data their program will request and how it will be executed. perform — a task that even the most skilled and experienced developers will perform. Instead, by writing new software in Rust, even amateur programmers can be confident that they haven’t introduced any memory-safe bugs into their code.
A program’s memory is a shared resource used by all the program’s features and libraries. Imagine a calendar program written in a language that is not memory safe. You open your calendar and then request entries for November 2, 2022, and the program fetches all the information from the area of your computer’s memory that is designated to store that date’s data. All is good. But if the program is not designed with the right constraints, and you request entries for November 42, 2022, the software, instead of generating an error or other error, may return information from a partial of storage holds seriously different data, be it the password you use to protect your calendar or the credit card number you keep on file for premium calendar features. And if you add a birthday party to your calendar on November 42, it might overwrite extraneous data in memory instead of telling you it couldn’t complete the task. These are called “out of bounds” read and write errors, and you can see how they can be exploited to give attackers inappropriate access to data or even extend control over the system. system.
Another common type of memory safety error, called “use after use”, refers to a situation in which a program relinquishes a claim to a piece of memory ( maybe you deleted all your calendar entries for October 2022), but by mistake still retain access. If you then request data from October 17th, the program can retrieve any data that ended there. And the existence of memory-safe vulnerabilities in the code also makes it possible for a hacker to create a malicious calendar invite with a strategically chosen date or set of event details designed to manipulate memory to grant attackers remote access.
