Google has been integrating code written in the Rust programming language into the Android operating system since 2019, and its efforts have paid off in the form of fewer vulnerabilities.
Memory safety errors – as in out of bounds to read and write gold use it after free account more than 65 percent of vulnerabilities High or critical severity bugs in Chrome and Android and numbers are similar in other vendors’ software. These shortcomings reduce security and increasing software development costs unless caught early.
But after four years of Android collecting Rust bits, that number has dwindled.
“From 2019 to 2022, the annual number of memory security vulnerabilities dropped from 223 to 85,” said Android security engineer Jeffrey Vander Stoep. blog post.
Vander Stoep says the decline coincides with efforts to move away from unsafe memory programming languages, including C/C++, which do not guarantee memory safety but can support it.
Starting with Android 12 last year, Rust became the Android platform language. Now in Android 13, Vander Stoep says that most of the new code added to the release is written in a memory-safe language—Rust, Java, or Kotlin.
With less memory-dangerous code entering Android, memory security flaws increased from 76 percent of Android vulnerabilities in 2019 to 35 percent in 2022—the first year in which memory security bugs did not represent the majority of vulnerabilities.
Other vulnerabilities have remained stable over time, appearing at a rate of about 20 per month over the past four years. Since memory security flaws account for the majority of critical issues, emerging vulnerabilities have proven to be less serious.
Google isn’t the only big tech company to recognize the benefits of in-memory security code. Meta voiced It’s his appreciation of Rust. A few months ago, Microsoft CTO Mark Russinovich announced C/C++ should no longer be used to start new projects, and Rust should be deployed where a non-garbage collection language is required.
At the time, Bjarne Stroustrup, the creator of the C++ language, protested Russinovich’s leadership, noting that type and memory security in ISO standard C++ implemented with static analysis. As Stroustrup sees it, helping the development of C++ makes more sense than deprecating the language and leaving dangerous code unmaintained.
Google continues to invest in tools for writing more secure C/C++ code, Vander Stoep says, pointing to the Scudo hardened separator, HWASAN, GWP-ASAN and KFENCE on Android devices. And he says Google has increased its use of fuzzing. But while such measures help reduce memory-safe bugs, I’d argue that most of the vulnerability reduction should be attributed to the switch to memory-safe languages.
About 21 percent of the new native code in Android 13 is written in Rust. It includes about 1.5 million lines of Rust code in the Android Open Source Project (AOSP), which includes components such as Key vault 2the new Ultra Wideband (UWB) stack and DNS-over-HTTP3 written in C++ in previous years.
And so far, Rust has delivered. “To date, zero memory security vulnerabilities have been discovered in Android’s Rust code,” Vander Stoep says, smartly admitting that won’t last forever.
“Rust’s combination of speed and memory safety makes it an excellent choice for a wide range of projects,” said Rebecca Rumbul, executive director and CEO of the Rust Foundation, in an email. Registration. “It’s no surprise to see Rust increasingly integrated into existing projects and products Google’s latest blog Discussing Rust on Android really highlights its security benefits.”
Rumbul added: “These security benefits are recognized by policymakers around the world, with European and North American governments recognizing Rust as a solution to some of the security issues experienced in the past.”
The US National Security Agency recently observed that while languages like C++ can provide a lot of flexibility, they rely on the programmer to provide the necessary memory reference checks.
“Software analysis tools can detect many instances of memory management problems, and operating environment options can provide some protection, but the protections offered by memory-safe programming languages can prevent or mitigate most memory management problems,” the agency said. management [PDF] issued last month. “NSA recommends using a memory-safe language whenever possible.” ®
