Can a programming language reduce vulnerabilities?
When Microsoft wanted to rewrite a Security Critical Network Processing Agent to eliminate memory security vulnerabilities causing recurring headaches at the Microsoft Security Response Center (MSRC), the company hired an intern and hired him. said to rewrite the code in Rust.
Rust, a programming language that has claimed the title of “most beloved” among developers for five consecutive years, could change the vulnerability landscape by virtually eliminating certain types of memory security errors. The language’s reputation is that it offers the speed and control of C and C ++, while providing security and safety guarantees for other languages, such as Go and Python. Almost 70% of the vulnerabilities handled by MSRC are classified as memory security issues, so eliminating the vulnerability class is critical.
Discussing his newfound preference for Rust, Alexander Clarke, the MSRC software intern, said in a blog post that while it may be easier to write a program that will compile in C ++, the resulting program is more likely to have errors and vulnerabilities.
“The [Rust] Compiler error messages are rightly famous for their usefulness, ”he says. “Through error messages, Rust applies safe programming concepts by telling you exactly why the code is not correct, while providing possible suggestions on how to fix it.
More than a decade after Mozilla adopted and began rewriting its Firefox browser code using Rust, the language may be ready to take off. While adoption continues to be anemic – only 5.1% of developers use the Rust language, according to the StackOverflow 2020 Developer Survey – a number of large companies have committed to using Rust in specific development projects. .
The Mozilla Foundation shipped code developed using the language in its Firefox browser starting in 2016. In 2019, Microsoft announced plans to adopt Rust more widely for writing system software on Windows. And in February, Mozilla launched the project which will be managed by the new Rust Foundation, with founding sponsors Microsoft, Google, Amazon and Huawei.
Why the growing popularity? It’s not just about speed and security, at least not for developers, says Ashley Williams, interim executive director of the Rust Foundation.
“My joking response is that we have an animal mascot,” she laughs. “Really, when people talk about loving Rust, there’s the language and the compiler, but also the idea that the community has to be welcoming and that the package management has to be top-notch. There are all of those things. values that people value. “
For businesses, the decision comes down to the capabilities Rust doesn’t allow. When the language is used correctly, the compiler alerts – and refuses to compile – certain coding patterns that lead to buffer overflows, post-absent usability vulnerabilities, free double memory issues, and null pointer deferences.
“You make a blood pact with the compiler,” Williams says. “You write your code in a specific way so that the compiler knows your code is correct.”
For Microsoft, the errors Rust can prevent represent the majority of vulnerabilities for which the company assigns Common Vulnerability and Exposures (CVE) credentials. Using the programming language to create its core system components can help reduce a major source of vulnerabilities, Ryan Levick, senior cloud developer advocate at Microsoft, said in a blog post.
“We believe Rust is a game-changer when it comes to writing secure systems software,” he said. “Rust provides the performance and control necessary to write low-level systems, while allowing software developers to write robust and secure programs.”
Yet programming languages promising additional security have not always done so.
In January 1996, Sun Microsystems announced Java 1.0. The language boasted of portable code – as in “write once, run anywhere” – but Sun also boasted a number of security attributes, such as automated memory management – that is. ie “garbage collection” – as well as type security and the ability to isolate applets from modifying system resources.
Java shows that developers, in the name of efficiency, will often not use security features and will continue to create insecure code.
Rust is more opinionated in its approach than Java, but the language is unlikely to avoid the potential for security breaches by developers. While Rust provides security for memory, it also allows bypassing it – the “UNSAFE” keyword. Using the keyword is a way for a developer to override the compiler and prevent the compiler from checking a block of code – apparently because the developer claims the code is safe.
Many Rust enthusiasts – “Rustaceans” as they are called – argue that overuse of the keyword undermines the Rust pattern. While the debate is nuanced, Williams gets the point.
“There are people who use the UNSAFE block in a way that is not safe,” she says. “If you put something in the unsafe block, the compiler will not check it, and if you are wrong, you could introduce a memory error.”
Yet, she points out, even if you use the ability to properly replace only the compiler, vulnerabilities will likely infiltrate developers’ programs, and – because security researchers and hackers tend to find the problems that developers leave behind – these vulnerabilities will be found. Case in point: Rust-focused security site RustSec lists over 250 vulnerabilities in Rust packages – or “crates” – and language.
“The vulnerability landscape is not absolute, so there are always new areas of vulnerability,” says Williams. “Some languages may be more secure than others, but… there is no such thing as a completely secure system, especially if your target language has a lot of hackers examining it.”
Veteran tech journalist for over 20 years. Former research engineer. Written for over two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science and Wired News. Five awards for journalism, including Best Deadline … See the full biography