On February 26, 2024, the White House Office of the National Cyber Director (ONCD) released a report endorsing memory-safety for future software development to proactively reduce the attack surface in cyberspace. In this blog post, we’ll talk about the impact of implementing software in Rust as a memory-safe programming language, analyzing its application for critical systems.
Memory safety is crucial in preventing bugs and vulnerabilities that exploit memory access, which can have severe implications for the security of many software systems. According to the Chromium project, around 70% of Google Chrome’s serious security bugs are memory safety problems. Memory-safe programming languages can help prevent a whole class of bugs and vulnerabilities due to the ability to work close to the kernel, support determinism, and manage memory effectively.
While Rust took center stage in the endorsement, the key takeaway of the report extends beyond just promoting a single language. The emphasis is on steering away from traditional languages like C and C++, which are more prone to memory safety issues. Modern languages like Python, Go, and Java, with automatic memory management features, are highlighted as viable alternatives for building secure software. The recommendation is not exclusive to Rust but rather encompasses a broader perspective on memory safety in software development.
The impact of switching to Rust
For Android, the switch to memory-safe languages correlated with a significant drop in memory safety vulnerabilities. From 2019 to 2022 the number of memory safety vulnerabilities dropped from 76% to 35% of Android’s total vulnerabilities. 2022 was the first year where memory safety vulnerabilities did not represent the majority of Android’s vulnerabilities.
Stylo, a parallel CSS engine written in Rust, replaces C++ code and speeds up page styling. To improve performance, Mozilla incorporated Rust code in Firefox Quantum. Firefox developers found Rust’s ownership model and safety features beneficial. Not only did it speed up page load, but it also sped up interaction times since styling information can be recalculated faster, making the experience smoother.
Is Rust for everyone?
Rust is a challenging language to learn due to its specific focus on memory safety, which can lead to increased development costs. The rigorous memory safety checks imposed by the Rust compiler can prolong the development process, potentially leading to higher expenses. However, the long-term security advantages of using Rust, its efficiency, and reduced maintenance costs outweigh the initial cost implications.
Rust allows developers to write more stable software with fewer maintenance issues and higher efficiency, ultimately resulting in cost savings for companies. Stefan Baumgartner shared his experience at Dynatrace, showcasing how the team successfully implemented a Rust-based product with minimal issues, resulting in long-term cost savings.
However, merely implementing Rust is not enough to protect against all possible attacks. Malicious actors will keep looking for new methods to break security if the reward justifies their efforts. Just like C and C++, Rust offers no built-in protection against hardware attacks like Side Channel Analysis and Fault Injection. While this is generally out of scope for most systems on Rust, critical systems such as payments and embedded devices need to obtain security certification to release their products to the market. This includes conducting a threat analysis and using qualified Rust compilers for use in safety systems. For example, Ferrocene is an ISO 26262 (ASIL D) and IEC 61508 (SIL 4) qualified version of the existing open-source compiler, rustc, based on Rust 1.68.
To secure devices on Rust against Side Channel Analysis and Fault Injection attacks, additional countermeasures need to be applied, similar to those needed for C and C++ languages. Keysight specializes in device security and protecting the integrity of embedded systems from fault attacks. Contact [email protected] to learn more about how to secure your applications against Side Channel Analysis and Fault Injection.
Rust’s suitability for space systems
A notable mention in the technical report is Rust’s suitability for space systems like satellites. The language’s ability to interact closely with both software and hardware, support determinism, and ensure effective memory management makes it an ideal choice for space-related applications.
While Rust’s characteristics align with the stringent requirements of space environments, an important consideration when developing space systems is the electromagnetic radiation that impacts the way devices operate. While devices on Earth are protected from radiation by the Earth’s atmosphere, the radiation in space affects devices differently. The high-energy particles present in significantly larger amounts in space and can cause a range of effects, from single-event upsets (SEUs) in electronic circuits to total device failure. In essence, this storm of radiation can be compared to a continuous, untargeted fault injection attack on hardware and software, requiring similar countermeasures in both hardware and software development.
The adoption of Rust can lead to increased efficiency, reduced maintenance costs, and the ability to develop reliable software products. However, Rust has not been proven more secure against hardware vulnerabilities when compared to traditional languages like C and C++. To use Rust in critical systems, Keysight advises implementing additional countermeasures and conducting security testing.