While Rust takes center stage in the endorsement, the key takeaway extends beyond just promoting a single language. The emphasis is on steering away from traditional languages like C and C++, which are more prone to memory safety issues. Modern languages like Python, Go, and Java, with automatic memory management features, are highlighted as viable alternatives for building secure software. The recommendation is not exclusive to Rust but rather encompasses a broader perspective on memory safety in software development.
Memory safety is crucial in preventing bugs and vulnerabilities that exploit memory access, which can have severe implications for the security of many software systems. The Chromium project finds that around 70% of Google Chrome’s serious security bugs are memory safety problems. Memory-safe programming languages can help prevent a whole class of bugs and vulnerabilities due to the ability to work close to the kernel, support determinism, and manage memory effectively.
The impact of switching to Rust
A significant drop in memory safety vulnerabilities correlates with the switch to memory-safe languages for Android: from 2019 to 2022 it has dropped from 76% down to 35% of Android’s total vulnerabilities. 2022 was the first year where memory safety vulnerabilities do not represent a majority of Android’s vulnerabilities.
Mozilla is releasing Firefox Quantum which incorporates Rust code to improve performance. Stylo, a parallel CSS engine written in Rust, replaces C++ code and speeds up page styling. Firefox developers found Rust’s ownership model and safety features beneficial. Not only does it speed up page load, but it also speeds up interaction times since styling information can be recalculated much faster, making the entire experience smoother.
Is Rust for everyone?
Rust is a challenging language to learn due to its specific focus on memory safety, which can lead to increased development costs. The rigorous memory safety checks imposed by the Rust compiler can prolong the development process, potentially leading to higher expenses. However, the long-term security advantages of using Rust, its efficiency and reduced maintenance costs outweigh the initial cost implications.
Rust allows developers to write more stable software with fewer maintenance issues and higher efficiency, ultimately resulting in cost savings for companies. Stefan Baumgartner shared his experience at Dynatrace, showcasing how the team successfully implemented a Rust-based product with minimal issues, resulting in long-term cost savings.
Merely implementing Rust is not enough to protect against all possible attacks. Malicious actors will keep looking for new methods to break security if the reward justifies their efforts. Just like C and C++, Rust offers no built-in protection against hardware attacks like Side Channel Analysis and Fault Injection. While this is generally out of scope for most systems on Rust, critical systems such as payments and embedded devices need to obtain security certification to release their products to the market. This includes conducting a threat analysis and using qualified Rust compilers for use in safety systems. Ferrocene, for example, is an ISO 26262 (ASIL D) and IEC 61508 (SIL 4) qualified version of the existing open-source compiler, rustc, based on Rust 1.68.
To secure devices on Rust against Side Channel Analysis and Fault Injection attacks, additional countermeasures need to be applied, similar to those needed for C and C++ languages. Riscure specializes in device security and protecting the integrity of embedded systems from fault attacks. Learn more about how to secure your applications against Side Channel Analysis and Fault Injection in our whitepaper “Secure Application Programming in the Presence of Side Channel Attacks”, or reach out directly to Riscure for expert development support.
Rust’s Suitability for Space Systems
A notable mention in the technical report is Rust’s suitability for space systems like satellites. The language’s ability to interact closely with both software and hardware, support determinism, and ensure effective memory management makes it as an ideal choice for space-related applications.
While Rust’s characteristics align with the stringent requirements of space environments, an important consideration when developing for space systems is the electro magnetic radiation that impacts the way devices operate. While devices on Earth are protected from radiation by the Earth’s atmosphere, the radiation in space affects devices differently. The high-energy particles present in significantly larger amounts in space can cause a range of effects, from single-event upsets (SEUs) in electronic circuits to total device failure. In essence, this storm of radiation can be compared to a continuous, untargeted fault injection attack on hardware and software, requiring similar countermeasures in both hardware and software development.
To conclude, the adoption of Rust can lead to increased efficiency, reduced maintenance costs, and the ability to develop reliable software products. However, Rust has not been proven more secure against hardware vulnerabilities compared to traditional languages like C and C++. To use Rust in critical systems, Riscure advises implementing additional countermeasures and conducting security testing.