For quite some time, Microsoft has been experimenting with Rust programming language to improve the safety of its software, under its Project Verona initiative. In a recent talk at RustFest Barcelona, Microsoft engineers Ryan Levick and Sebastian Fernandez discussed their experience using Rust.
While Microsoft is trying to make Windows 10 more secure but it cannot just throw away the old Windows code. Hence, Microsoft’s journey with Rust so far includes rewriting low-level Windows components in Rust.
According to Levick and Fernandez, the software industry is resting on insecure technological foundations that are costing them a huge sum of money.
Every such security issues discovered in the field costs Microsoft around $150,000. And these costs may be even higher for organizations that end up as victims of security vulnerability exploits such as ransomware.
Memory safety issues in C/C++
‘Memory safety’ is the term that refers to coding frameworks that help protect memory space from being abused by malware. The aim of Project Verona at Microsoft is to secure the company’s work by removing the scope of such attack vectors.
Interestingly, Microsoft engineers said that the majority of security issues are related to memory safety flaws in C and C++. Here’s what they had to say regarding the safety of these two languages:
C and C++ are extremely great at writing low-level systems. They use very little resources on the machine. They are, in fact, really the basis on which we create our systems today but the issue with that, of course, is that they are very, very unsafe and, when they were developed, did not really have safety in mind.
This is the major reason why Microsoft started experimenting with Rust in the hopes of minimizing software bugs that lead to memory safety related vulnerabilities.
Rust, just like C and C++, has a minimal and optional “runtime”. But what separates Rust from C and C++ is its strong safety guarantees. Unless explicitly opted-out of through usage of the “unsafe” keyword, Rust is completely memory safe.
This programming language was designed to allow developers to code without having to worry about memory safety bugs.
“Rust allows us to write performant security-critical components safely, said the two engineers.”
While the aforementioned statement is a claim that is yet to be proved, but they hope it will turn out to be true.
Challenges In Adopting Rust
A major obstacle towards achieving this goal is that it’s not possible to rewrite everything from scratch in Rust. Instead, Microsoft is trying to find a way to make Rust coexist with other technologies, but again, it is not that easy.
Besides, there are other challenges that Microsoft needs to overcome as an organization, including the human factor. Rust programming language needs to be adopted (and also need to be convinced for the switch) by developers who have been coding in C and C++ for several years.
The positive thing here is that introducing Rust to seasoned C++ programmers is easy because they are able to familiarize themselves with it quickly — mostly because Rust formalizes the concepts that they already know.
But when it comes to developers who are used to other programming languages, it might be a little bit more difficult at the beginning.
“While the learning curve being quite steep, people get through it and once they are through that learning curve, they are quite productive.”
Adam Burch, a software engineer at Microsoft with the Hyper-V Team, shared his experience with Rust-based projects so far. He described his experience of rewriting a low-level system component of Windows in Rust as a breath of fresh air — thanks to Rust compiler guarantees.
“The memory and data safety guarantees made by the compiler give the developer much greater confidence that compiling code will be correct beyond memory safety vulnerabilities,” said Burch.
Safe Infrastructure Programming
The new ‘memory safe’ programming language, Microsoft is working on, is internally being referred to as “safe infrastructure programming”. There are rumors that this Rust-based programming language will be made open-source soon.
Meanwhile, the other class of bugs Microsoft is addressing relates to uninitialized memory in a way that doesn’t kill performance.