Google's determination to usage Rust for caller codification successful Android successful bid to trim memory-related flaws appears to beryllium paying off. Memory information vulnerabilities successful Android person been much than halved -- a milestone that coincides with Google's power from C and C++ to the memory-safe programming language, Rust.
This is the archetypal twelvemonth that representation information vulnerabilities are not the biggest class of information flaws, and comes a twelvemonth aft Google made Rust the default for caller codification successful the Android Open Source Project (AOSP).
Other memory-safe languages Google has utilized for Android see Java and Java-compatible Kotlin. C and C++ are inactive ascendant languages successful AOSP, but Android 13 is the archetypal mentation wherever astir of the caller codification is from memory-safe languages. After Google adopted it for AOSP in April 2021, Rust present accounts for astir 21% of caller code. The Linux kernel task this year adopted Rust arsenic the caller authoritative 2nd connection to C.
Android mentation 10 from 2019 had 223 representation information bugs, portion Android 13 has 85 known representation information issues.
Over that period, representation information vulnerabilities person dropped from 76% down to 35% of Android's full vulnerabilities, notes Android information bundle technologist Jeffrey Vander Stoep. With this driblet successful representation information vulnerabilities, Google is besides seeing a diminution successful captious and remotely exploitable flaws.
Vander Stoep notes that this alteration was not driven by "heroics" — conscionable developers utilizing the champion tools for the job. The Android squad plans to measurement up usage of Rust, though determination are nary plans to get escaped of C and C++ for its systems programming.
"If I had to place a azygous diagnostic that makes this possible, I would accidental 'humility'. There's a willingness wrong each levels of the Android squad to accidental 'How tin we bash better?' on with the fortitude to travel done and marque changes, including systemic changes," he noted successful a tweet.
"Humility needs to spell some ways though. Rust doesn't lick each problems, and determination are areas wherever C/C++ volition proceed to beryllium the astir applicable enactment for development, astatine slightest for a while. That's OK.
"We'll enactment connected reducing that implicit clip portion continuing to standard up our Rust usage and continuing to invest-in and deploy improvements to C/C++."
Correlation doesn't equate to causation, Vander Stoep notes, but the percent of representation information safety bugs — which predominate precocious severity bugs — does intimately lucifer the languages utilized for caller code.
Security tools similar fuzzing person besides made a large interaction connected representation information bugs, says Google.
"We proceed to put successful tools to amended the information of our C/C++. Over the past fewer releases we've introduced the Scudo hardened allocator, HWASAN, GWP-ASAN, and KFENCE connected accumulation Android devices. We've besides accrued our fuzzing sum connected our existing codification base. Vulnerabilities recovered utilizing these tools contributed some to prevention of vulnerabilities successful caller codification arsenic good arsenic vulnerabilities recovered successful aged codification that are included successful the supra evaluation. These are important tools, and critically important for our C/C++ code. However, these unsocial bash not relationship for the ample displacement successful vulnerabilities that we're seeing, and different projects that person deployed these technologies person not seen a large displacement successful their vulnerability composition. We judge Android's ongoing displacement from memory-unsafe to memory-safe languages is simply a large factor," writes Vander Stoep.
He goes connected to enactment that successful Android 13 determination are 1.5 cardinal full lines of Rust code, representing astir 21% of each caller code. To date, Google has seen not a azygous representation information vulnerability successful Android's Rust code.
"It demonstrates that Rust is fulfilling its intended intent of preventing Android's astir communal root of vulnerabilities. Historical vulnerability density is greater than 1/kLOC (1 vulnerability per 1000 lines of code) successful galore of Android's C/C++ components (e.g. media, Bluetooth, NFC, etc). Based connected this humanities vulnerability density, it's apt that utilizing Rust has already prevented hundreds of vulnerabilities from reaching production," Vander Stoep notes.
Google sees the determination distant from C/C++ arsenic challenging, but is pressing up with the task for Android. However, it is not moving to Rust for Chrome.
For Android, though, Google is implementing userspace hardware abstraction layers (HALs) successful Rust and adding enactment for Rust successful Trusted Applications. It has besides migrated virtual instrumentality firmware successful the Android Virtualization Framework to Rust. And with enactment for Rust successful the Linux kernel mentation 6.1, Google is bringing memory-safety to the kernel, starting with kernel drivers.