The Battle of Code: Rust vs C for the Safety of a Billion Devices!

The Battle of Code: Rust vs C for the Safety of a Billion Devices!

Introduction: Attention everyone! Tweede Golf has made a significant move; they want to uncover how to expose memory vulnerabilities and prove the superpowers of the Rust language in protecting the safety of billions of devices.

The Dutch Rust software engineering consultancy Tweede Golf recently conducted an experiment that yielded surprising results, revealing why Rust is so popular in safety-critical applications.

Consider this: software vulnerabilities can affect countless devices, from ultrasound machines to avionics systems, making the choice of programming language more critical than anything else.

David Mytton, CEO of Arcjet, stated:

“Rust has three major advantages: inherent memory safety (with clear markings when using unsafe code), extremely strict compile-time checks (which can catch errors early), and an excellent testing experience (which can improve code coverage).”

The Nightmare of 3 Billion Devices

In 2021, security researchers discovered a significant vulnerability in Siemens’ Nucleus real-time operating system, which runs on 3 billion devices worldwide. This vulnerability is part of the “NAME:WRECK” family, allowing hackers to craft malicious DNS responses that can crash devices or even take complete control of them.

“However, we can forge a fake ‘DNS response’ with intentional ‘errors’. Hackers can exploit this to trick Nucleus into writing to unintended locations,” wrote Marc Schoolderman, a systems software engineer at Tweede Golf, in a blog post.

Imagine the severe consequences if hackers could remotely infiltrate ultrasound machines, storage systems, or avionics equipment.

Experiment: Rust vs C in Real-World Security

Tweede Golf designed an experiment to test whether Rust could withstand this vulnerability. They provided four engineers (two full-time employees and two interns) with a brief introduction to the DNS message encoding protocol (RFC1035) and then tasked them with developing a solution in Rust within three to four hours.

The engineers initially did not know they were tasked with reproducing vulnerable code. They then tested their Rust implementation using the same problematic inputs that caused the original C implementation to crash.

The Results Are In: A Safer Design.

The results were shocking! While the original C code failed 7 out of 12 tests, all Rust implementations exhibited no code execution vulnerabilities.

Schoolderman remarked, “No one felt the need to use unsafe Rust,” referring to Rust’s escape hatch that allows programmers to bypass safety checks when necessary.

All Rust solutions featured a “panic safety” characteristic, meaning that when faced with malicious data, they would only result in recoverable errors rather than system crashes. Despite the time constraints, all engineers wrote comprehensive test suites, including fuzz testing that could automatically generate problematic inputs.

Developer Trade-offs

“I believe this experiment effectively demonstrates the value of memory-safe programming languages,” said open-source maintainer Alex Gaynor. “Decoding DNS messages should not be something that can lead to severe security vulnerabilities threatening system safety, but unfortunately, that is the reality for memory-unsafe languages.”

“This simple study reaffirms that ensuring memory safety in languages greatly benefits building safer systems,” he added.

Josh Aas, co-founder and executive director of ISRG, expressed that he found it worthwhile for Tweede Golf to invest time in researching and validating this in an interesting way. “People should not take claims about Rust’s safety at face value; this is another strong piece of evidence,” he said.

For instance, “ISRG’s Prossimo project has been investing in memory-safe DNS to avoid the aforementioned issues. Hickory DNS is a high-performance recursive DNS resolver written in Rust, which we hope to deploy in our Let’s Encrypt certificate authority next year,” Aas added.

Per Larsen, CEO of Immunant, stated that while the scale of the Tweede Golf experiment is smaller than the Google findings they linked to, it provides further evidence that Rust indeed has the safety impact people expect.

“Tweede Golf’s staff has done an excellent job migrating software from C to Rust,” he said. “We have collaborated well with them, and their interactions have been impressive. They regularly contribute to our c2rust migration tool, which is a significant advantage for me.”

Joshua Aminu, a senior Rust developer from Lagos, Nigeria, said, “I think this is a brilliant article that emphasizes the point that Rust is safer than C/C++ even in real life.”

Development Speed Advantage

The most surprising result was the advantage in development time.Tweede Golf stated that even if they were aware of the vulnerabilities beforehand, implementing the same functionality in a truly safe C version would take “at least three times longer” than the Rust implementation.

Schoolderman explained, “At Tweede, we use Rust not only because it prevents us from making mistakes but also because it allows us to write safer software faster.”

Why Rust Succeeds Where C Struggles

This vulnerability is a classic C programming issue: unchecked memory access, lack of boundary checks, and implicit trust in external inputs. A simple analysis of the C code for this vulnerability reveals several key issues:

·Unchecked memory offsets allow attackers to read or write to arbitrary memory locations

·Implicit trust in input data without verification

·Potential infinite loops caused by circular references

·No checks to ensure the output buffer does not overflow

In contrast, Rust’s design philosophy inherently avoids these issues:

1.Memory safety guarantees: Rust’s ownership system makes buffer overflows and use-after-free vulnerabilities nearly impossible unless explicitly chosen to bypass safety checks.

2.Expressive type system: Rust’s powerful type system encourages clear data validation and explicit error handling.

3.Testing culture: The Rust ecosystem places a strong emphasis on testing, including property-based testing and fuzz testing, which can uncover edge cases that humans might miss.

Beyond Academic Examples

This is not just an academic study. Similar DNS-related vulnerabilities have been found in four other network libraries (collectively known as NAME:WRECK). This experiment adds empirical evidence to the claims made by Google, Microsoft, and other tech giants: memory safety issues account for a significant proportion of security vulnerabilities, and languages like Rust can effectively and significantly reduce these risks.

The Future of Systems Programming

As embedded systems, Internet of Things (IoT) devices, and critical infrastructure become increasingly interconnected, the costs of security vulnerabilities are growing exponentially. Tweede Golf’s experiment provides compelling evidence that modern memory-safe languages like Rust offer a path forward—not only preventing certain types of errors but also enabling faster development of more reliable and secure systems.

The message is clear: when it comes to critical system software that impacts millions or billions of people, the choice of programming language is no longer merely a developer’s preference but a matter of fundamental safety and security.

Mytton stated, “For system-level network code, Rust may be the best tool available today—its advantages over C are overwhelming, and I see no reason to choose C to solve these problems anymore.”

Nitpicking?

“While I am sure people can nitpick the research methodology (e.g., small sample size, programmers being more diligent in testing than in real life), I believe the results we see here do indeed reflect what we observe in large-scale industrial environments like Google, which should give us confidence that these results genuinely reflect the benefits organizations can gain from writing code in memory-safe languages,” Gaynor said.

Additionally, Mytton noted that claims of universal savings“in time and money” need to be qualified.

“Yes, this may be true compared to C, especially when addressing system-level issues,” he said. “But what about compared to other safe languages like Python or Go? The cost-benefit analysis becomes much more complex. It is challenging to find experienced Rust developers, and as the tech stack continues to evolve, iterating with Python or Go is often much faster.”

Editor: Handheld Tractor

Related Articles:

  • Why is Microsoft Porting TypeScript to Go Instead of Rust?

  • 2024 Rust Survey: Most Rust Developers Are Concerned About the Language’s Future

  • Critical Code Security Audit of PHP Reveals Defects

Related posts

  1. Rust Cured My Mental Exhaustion
  2. Industry Trends: Security Monitoring Main Chip (SoC) Series – Rockchip RV1103
  3. Analysis Brief on the Social Robot Industry
  4. Does Xiao Ai’s Intelligence Really Outperform Tmall Genie?
  5. Rust Learning Notes – 01
  6. C++ Practice Today with RoboCode
  7. The Success of Go Also Heralds the Success of Rust
  8. Building a Secure and Reliable Authentication Service with Rust: From Basics to Practical Implementation
  9. Guozi Software’s IoT Asset Management Platform for Primary and Secondary Schools: A New Era in Campus Asset Management
  10. Intel Fully Adopts LLVM for Its C/C++ Compiler
  11. Application Case of PLC and Digital Twin Technology in Virtual Debugging for Production Line Upgrades
  12. Microcontroller RTOS Real-Time Task Scheduling: Multi-Task Cooperation and Priority Management
  13. Discussion on Embedded Hardware: Push-Pull, Open-Drain, High-Z State, and Pull-Up Resistors
  14. Practical Guide to High-Risk Port Control Strategies and Firewall Configuration in Linux
  15. Stop Saying Rust is Overhyped

Leave a Comment