The open source version of Android is finally opening up to the Rust language! In order to reduce bugs related to memory security, Google has just announced that this version will allow parts of the operating system to be built in Rust. While Android apps can be written with managed languages like Java and Kotlin, they indeed lack the “control and predictability” of lower-level languages like C and C ++ used to build the Android operating system, explains. the American giant.
“They’re light on resources and have more predictable performance characteristics. For C and C ++, the developer is responsible for managing memory lifetime. Unfortunately, it’s easy to make mistakes doing this, especially in complex, multithreaded code bases, ”the Android team argued in a blog post.
For its part, “Rust provides guarantees of memory security by using a combination of compile-time checks to enforce object lifetime / ownership and run-time checks to ensure that access to the memory are valid. This security is obtained while offering performance equivalent to that of C and C ++ ”, notes the latter.
An expensive process so far
In the current state of Android, if a process written in C / C ++ handles untrusted input, it runs in a sandbox, which Google says is expensive and still leaves the possibility for attackers to chain security breaches to exploit systems.
Additionally, Google argues that half of its memory bugs are in code that is less than a year old, so it makes sense to target Rust on new code, rather than rewriting the system. exploitation in Rust. “Even as we redirect the efforts of every software engineer on the Android team, rewriting tens of millions of lines of code is just not achievable,” the Android team says.
“The relative rarity of older memory bugs may surprise some, but we’ve found that it’s not in old code that improvements are most urgently needed. Software bugs are discovered and fixed over time, so we would expect the number of vulnerabilities in code that is maintained but not actively developed to decrease over time. One of the systems that will benefit from the Rust treatment is Gabeldorsche, presented as the successor to bluetooth.
A language with multiple advantages
The Android team also addressed the issue of finding and reproducing memory bugs so that they can be fixed. “For complex C / C ++ code bases, there are often only a handful of people who can develop and review the fix, and even with a high amount of effort put into fixing the bugs, sometimes the corrections are incorrect, ”she wrote.
“Bug detection is most effective when they are relatively rare and dangerous bugs can be given the urgency and priority they deserve. Our ability to reap the benefits of improvements in this area requires that we prioritize preventing the introduction of new bugs. “
One of the benefits of using Rust are the additional constraints and checks inherent in the language, such as forcing variables to initialize, which could prevent the root cause of up to 5% of security vulnerabilities. in Android, says Google.
A fundamental company
“Adding a new language to the Android platform is a big undertaking. There are tool chains and dependencies that need to be maintained, infrastructure and testing tools that need to be updated, and developers that need to be trained, ”says the Android team. “Over the past 18 months, we’ve added Rust support to the Android Open Source project, and we have a few early adoption plans that we’ll be sharing in the coming months. “
Earlier this year, Rust left Mozilla and joined his own foundation. As a reminder, Mozilla used Rust to build its Servo browser engine and replace 160,000 lines of C ++ with 85,000 lines of Rust. The Mozilla Foundation recently launched ThreadSanitizer on Firefox to eliminate any data race in C / C ++ remaining in browser code. With this mixed codebase, Mozilla was concerned that races would be obscured by going through Rust code, but detected two pure Rust races nonetheless.
“Overall, Rust appears to be fulfilling one of its original design goals – to allow us to write more concurrent code safely,” the foundation says. “WebRender and Stylo are both very large and ubiquitous and multithreaded, but the threading issues were minimal. The issues we found were errors in the implementation of low-level, explicitly insecure multithreading abstractions – and these errors were easy to fix. “