Google has been integrating code written in the Rust programming language into its Android operating system since 2019 and its efforts have paid off in the form of fewer vulnerabilities.
Memory security bugs — like out-of-bounds read and write or post-free usage — account for more than 65% of high- or critical-severity bug vulnerabilities in Chrome and Android, and the numbers are similar in software from other vendors. These flaws degrade security and increase the cost of software development when not detected early.
But after four years of Android collecting chunks of Rust, that number has dwindled.
“From 2019 to 2022, the annual number of memory security vulnerabilities increased from 223 to 85,” Android security engineer Jeffrey Vander Stoep said in a blog post.
Vander Stoep says the decline coincides with efforts to move away from memory-insecure programming languages, by which he means C/C++ – a language that does not guarantee memory safety but can support it.
Starting with Android 12 last year, Rust became an Android platform language. And now, in Android 13, says Vander Stoep, the majority of new code added to the release has been written in a memory-safe language — Rust, Java, or Kotlin.
With less memory-hazardous code entering Android, memory security vulnerabilities have fallen from 76% of Android vulnerabilities in 2019 to 35% in 2022 – the first year that memory security bugs do not. do not represent the majority of vulnerabilities.
Other vulnerabilities have remained stable over time, appearing at a rate of about 20 per month over the past four years. Since memory security vulnerabilities accounted for the most critical issues, the vulnerabilities that surfaced turned out to be less severe.
Google isn’t the only big tech company recognizing the benefits of secure in-memory code. Meta expressed her appreciation for Rust. Several months ago, Microsoft CTO Mark Russinovich said that C/C++ should no longer be used to start new projects and that Rust should be deployed where a garbage-free language is required.
At the time, Bjarne Stroustrup, creator of C++, challenged Russinovich’s advice by pointing out that type and memory safety can be achieved in the ISO C++ standard, enforced by static analysis. According to Stroustrup, helping C++ evolve makes more sense than deprecating the language and leaving dangerous code unattended.
Google, says Vander Stoep, continues to invest in tools to write safer C/C++ code, pointing to the Scudo hardened allocator, HWASAN, GWP-ASAN and KFENCE on Android devices. And he says Google has increased its use of fuzzing. But while such measures have contributed to the decrease in memory-safety bugs, he argues that most of the reduction in vulnerability should be attributed to the transition to memory-safe languages.
In Android 13, approximately 21% of new native code is written in Rust. This includes approximately 1.5 million lines of Rust code in the Android Open Source Project (AOSP), consisting of components such as Keystore2, the new ultra-wideband (UWB) stack, and DNS-over-HTTP3 which in previous years , would have been written in C++.
And so far, Rust has delivered. “To date, no memory security vulnerabilities have been discovered in Android’s Rust code,” said Vander Stoep, who wisely admitted that this probably won’t be the case forever.
“Rust’s combination of speed and memory safety makes it an excellent choice for a wide range of projects,” said Rebecca Rumbul, executive director and CEO of the Rust Foundation, in an email to The register. “It’s no surprise to see Rust being increasingly integrated into existing projects and products, and Google’s recent Rust in Android blog post really highlights its security benefits.”
Rumbul added, “These security benefits are also recognized by policymakers around the world, with governments in Europe and North America recognizing Rust as a solution to some of the security challenges faced in the past.”
The US National Security Agency recently observed that while languages like C++ can offer great flexibility, they rely on the programmer to provide the necessary memory reference checks.
“Software analysis tools can detect many cases of memory management problems and operating environment options can also provide some protection, but the inherent protections offered by memory-safe software languages can prevent or alleviate most memory management issues,” the agency said in its guidance. [PDF] published last month. “NSA recommends using a memory-safe language when possible.” ®
#Google #Android #runs #covered #Rust