Google says Android performs best when covered in Rust

Google has been integrating code written in the Rust programming language into its Android operating system since 2019 and its efforts have paid off in the form of fewer security holes.

Memory security bugs — such as reads and writes or use out of bounds for free — account for more than 65 percent of severe or critical bug vulnerabilities in Chrome and Android, and the numbers are similar for software from other vendors. These flaws degrade security and increase the cost of software development when they are not detected early.

But after four years in which Android has been collecting bits of Rust, that number is down.

“From 2019 to 2022, the annual number of memory vulnerabilities decreased from 223 to 85,” Android security engineer Jeffrey Vander Stueb said in a blog post.

Vander Stewepp says the decline coincides with efforts to move away from memory-insecure programming languages, which is what C/C++ is all about – a language that doesn’t guarantee memory security but can support it.

Starting with Android 12 last year, Rust has become the language of the Android platform. And now in Android 13, says Vander Stoep, the majority of new code added to the release has been written in a memory-safe language — Rust, Java, or Kotlin.

As less insecure memory code entered Android, memory security vulnerabilities went from 76 percent of Android vulnerabilities in 2019 to 35 percent in 2022 — the first year that memory security bugs didn’t account for the majority of vulnerabilities.

Other vulnerabilities have remained constant over time, appearing at a rate of about 20 per month over the past four years. Since memory security flaws were responsible for most of the critical issues, the vulnerabilities that surfaced proved to be less critical.

Google isn’t the only big tech company that has recognized the benefits of secure memory code. Mita appreciated Rust. Several months ago, Microsoft CTO Mark Rusinovich declared that C/C++ should no longer be used to start new projects and that Rust should be deployed where a language without garbage collection is required.

At the time, C++ creator Bjarne Stroustrup challenged Russinovich’s directive by pointing out that type and memory integrity can be obtained in the ISO C++ standard, which is enforced through static parsing. As Stroustrup sees it, helping C++ evolve makes more sense than deprecating the language and leaving unsafe code unattended.

Google continues to invest in tools to write more secure C/C++ code, says Vander Stoep, pointing to the powerful Scudo customizer, HWASAN, GWP-ASAN, and KFENCE on Android devices. He says Google has increased its use of obfuscation. But while such measures have contributed to a decline in memory integrity errors, he argues that most of the reduction in vulnerability should be attributed to the move towards memory safe languages.

In Android 13, approximately 21 percent of the new native code was written in Rust. This includes about 1.5 million lines of Rust code in the Android Open Source Project (AOSP), and consists of components such as Keystore2, the new UWB stack, and DNS-over-HTTP3 that in previous years would have been written in C++ .

And so far, Rust has managed to do just that. “So far, no memory vulnerabilities have been discovered in Android’s Rust code,” said Vander Stueb, who wisely admitted that this probably won’t be the case forever.

Rebecca Rumpole, CEO and Executive Director of the Rust Foundation, said in an email to: log. “It’s not surprising to see Rust increasingly being integrated into existing projects and products, and a recent Google blog discussing Rust in Android really highlights its security benefits.”

“These security benefits are also being recognized by policymakers around the world, with governments in Europe and North America acknowledging that Rost is a solution to some of the security problems they have had in the past,” Rompole added.

The US National Security Agency recently noted that while languages ​​such as C++ can provide a great deal of flexibility, they rely on the programmer to provide the necessary memory reference checks.

“Software analysis tools can detect many instances of memory management problems and runtime environment options can also provide some protection, but the inherent protection provided by memory-safe software languages ​​can prevent or mitigate most memory management problems,” the agency said in the guidance. [PDF] Released last month. “The NSA recommends using secure mnemonic language when possible.” ®