Author: Wang Wenjing
Yesterday, the Microsoft Security Response Center (MSRC) team updated an article on their official website regarding their latest plan to use Rust as a replacement for C, C++, and other programming languages to improve application security. This plan includes further in-depth discussions on aspects such as spatial memory safety, temporal memory safety, and data races. Chief Security Technology Manager Gavin Thomas stated that the core job of developers is not to worry about security but to focus on functional development, and it is essential to enable a programming language that “does not introduce memory vulnerability risks.” Clearly, Rust is the star of this initiative.1 Over the past 12 years, approximately 70% of Microsoft patches have targeted memory vulnerabilities.
Today, memory vulnerabilities have become a primary target for hackers. According to Microsoft’s latest survey data, about 70% of Microsoft patches over the past 12 years have been aimed at memory vulnerabilities.
Since 2004, the Microsoft Security Response Center (MSRC) has categorized every reported Microsoft security vulnerability. From all classifications, a surprising fact has emerged: as discussed by Matt Miller in his speech at BlueHat IL this year, most of the fixed vulnerabilities and assigned CVEs are caused by developers inadvertently introducing memory corruption errors into their C and C++ code. These two programming languages, which carry the risk of memory vulnerabilities, allow developers fine-grained control over memory addresses where the code is executed. An error in the developer’s memory management code can lead to numerous memory vulnerabilities, which attackers can exploit to cause dangerous and invasive consequences, such as Remote Code Execution (RCE) and Elevation of Privilege (EoP) vulnerabilities.
Data Source: Microsoft Security Response Center Website
In recent years, as Microsoft has increased its codebase and used more open-source software in its code, this issue has not been resolved but has worsened, and Microsoft is not the only company exposed to memory vulnerabilities.
In the latest article published on their official website, the MSRC team analyzed how to address memory safety issues as follows:
To address memory safety issues, several different approaches need to be taken.Modern constructs in C++ (such as span) can help prevent certain memory safety issues to some extent.Additionally, we should use other modern C++ features (such as smart pointers) whenever possible.
However, modern C++ still lacks comprehensive memory safety and data race mechanisms. More importantly, if programmers do not utilize these features, they are meaningless; and these features may not work effectively in larger, more obscure codebases. Furthermore, C++ lacks good tools to encapsulate unsafe code within safe abstractions, which means that while correct coding practices can be enforced at the local level, developers still find it challenging to build safely composable software components in C or C++. Moreover, we should migrate software to languages with comprehensive memory safety features whenever possible, such as C# or F# that implement memory protection through runtime checks and garbage collection mechanisms. After all, memory management is an extremely complex function, and it is best to ensure that it is only dealt with when necessary.
2 Advantages of Rust
For many years, Microsoft has been searching for safer alternatives to C and C++. In June 2016, Microsoft open-sourced “Checked C,” an extension of the C language that introduced some new features to address safety issues, but it still did not solve the problem completely. Due to automatic memory management, Microsoft has other safer programming languages, with C# and the .NET series being one, and TypeScript, which compiles to JavaScript, being another. These languages are widely used by Microsoft and its customers, but they do not meet all needs. In this regard, MSRC Chief Security Technology Manager Gavin Thomas stated, “If developers could combine memory-safe languages like .NET and C# with efficient C++, that would be great. Perhaps we can.” Thus, Rust has become the focus of this initiative.
Rust was created in 2006 and is referred to by its creator Mozilla as a “replacement for C/C++.” Initially, it was just a research project by Mozilla aimed at developing a safer and faster programming language to rewrite the Firefox browser. Most developers considered it a theoretical project, but today Rust is gradually proving its capabilities. The mp4 track metadata parser built with Rust was adopted in Firefox 48, released in August 2016, marking its first appearance on Windows and 32-bit Linux desktops. Recently, the Brave browser replaced its ad-blocking component originally written in C++ with Rust. Cloudflare and Dropbox are also currently running Rust in production systems.
Notable features of Rust include:
-
Zero-cost abstractions
-
Move semantics
-
Guaranteed memory safety
-
No data-race threads
-
Trait-based generics
-
Pattern matching
-
Type inference
-
Minimal runtime
-
Efficient C bindings
The Rust team states that it has a rich system and ownership model that ensures memory safety and thread safety. Additionally, it provides documentation, an integrated package manager, and other tools that help improve developer productivity. More importantly, Rust was designed from the ground up to prevent memory corruption vulnerabilities. Its syntax is also simpler, and applications written in it do not produce the same number of errors, allowing developers to focus on scaling their applications rather than ongoing maintenance work.
According to the Stack Overflow 2019 Developer Survey, Rust is currently the most popular programming language, making it easier to recruit relevant developers. In contrast, in this survey, respondents ranked C as the fourth most disliked programming language, while C++ ranked ninth.
Data from the Stack Overflow 2019 Developer Survey
It is reported that currently, apart from Mozilla, hundreds of companies worldwide are using Rust, including Amazon, Atlassian, Dropbox, Facebook, Google, Microsoft, Red Hat, and Reddit. In China, companies such as Baidu, ByteDance, PingCAP, Ant Financial, Zhihu, and SenseTime are also using Rust.
3 Issues with Rust
However, Rust still has some shortcomings. According to a previous survey, areas needing improvement include:
-
Better ergonomics
-
Better documentation
-
Better library support
-
Simpler learning curve
-
More IDE support
Some users have mentioned that the reasons for not using Rust include, “Although the learning curve and complexity of the language remain barriers for many to learn Rust, one aspect that resonates with many is that there simply aren’t enough active commercial projects adopting Rust to engage people… For some, as long as there is a strong motivation, they can overcome Rust’s learning curve.” Additionally, due to the lack of IDE support, about 10% of users are looking for better IDE support, while 5% of long-time users have stopped using Rust for this reason.
Regarding this plan that may build a new language ecosystem, MSRC Chief Security Technology Manager Gavin Thomas stated, “We are a responsive organization, but we also play a proactive role. We should strive from the beginning to prevent developers from introducing problems rather than providing guidance and tools to solve them.” Currently, Microsoft has not disclosed when it will use Rust in its products or cloud services.
Click to see fewer bugs👇