You are here

You are here

Rust steals C's crown with Microsoft secure code project

Richi Jennings Industry analyst and editor, RJAssociates

Microsoft seems to be very interested in Rust. And why not? It’s a programming language that makes it easy to write secure, multi-threaded, memory-safe code.

Crucially, it’s easy to port C++ code to Rust. And, boy, does Microsoft have a lot of that? (Yes. Yes, it does.)

But what’s this we hear about Microsoft’s “Project Verona”—a new language, based on Rust? In this week’s Security Blogwatch, we embrace and extend.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Thanks USB-C.

Technical credit where credit’s due

What’s the craic? Liam Tung reports—Microsoft: We're creating a new Rust-like programming language:

The company's Project Verona aims to make older low-level components in Windows 10 more secure. [It] has partially explained its security-related motives for experimenting with Rust, but hasn't gone into much detail about the broader reasons.

Microsoft recently revealed that the vast majority of bugs being discovered these days are memory safety flaws, which is also why Microsoft is looking at Rust. … Verona could turn out to be just an experiment that leads nowhere, but the company has progressed far enough to have detailed some of its ideas.

Matthew Parkinson, a Microsoft researcher from the Cambridge Computer Lab in the UK … gave a talk last week [discussing] the work Microsoft has done with MemGC … Memory Garbage Collector, for Internet Explorer (IE) and Edge. … The other class of bugs Microsoft is working on to address relates to uninitialized memory.

And Manisha Priyadarshini adds—A Rust-Based ‘Memory Safe’ Programming Language:

It’s not possible to rewrite everything from scratch in Rust. Instead, Microsoft is trying to find a way to make Rust coexist with other technologies, but … it is not that easy.

The positive thing here is that introducing Rust to seasoned C++ programmers is easy because they are able to familiarize themselves with it quickly — mostly because Rust formalizes the concepts that they already know.

The new ‘memory safe’ programming language Microsoft is working on is internally being referred to as “safe infrastructure programming”. There are rumors that [it] will be made open-source soon.

What value would Microsoft add to Rust? Adam Burch gives a couple of big ol’ hints—Using Rust in Windows:

Recently, I’ve been tasked with an experimental rewrite of a low-level system component of the Windows codebase [in] Rust. … My experience with Rust has been generally positive.

Using Rust as a developer is a breath of fresh air. The memory and data safety guarantees made by the compiler give the developer much greater confidence that compiling code will be correct beyond memory safety vulnerabilities.

Rust has a pretty easy learning curve for someone like me who has used C++ for the majority of my career. … I look forward to seeing more developers at Microsoft working with the language.

[But] there are still some missing language features that would be very desirable. … Foremost of these are safe transmutation (safely cast “plain old data” types to and from raw bytes), safe support for C style unions, and fallible allocation (fail gracefully from allocation failure, rather than panic).

Let’s skip ahead to the snarky criticism. One and John E. Dunn: [You’re fired—Ed.]

It’s as if Microsoft is admitting that rather than badger its developers to write safe code for the next 10 years, a better option is simply to limit the parameters of the tools they use to create it. [But why has it] taken Microsoft so long to get around to adopting a memory-safe language such as Rust, years after Mozilla started sponsoring it?

It’s still not clear when updated code might ship, but it is starting to look inevitable at the current rate of progress. If Microsoft’s enthusiasm for Rust reveals one thing it’s how the company has become more open-minded about using open-source tools to improve its security.

And ncmncm offers this slightly cynical summary:

Microsoft has a huge problem: thousands of coders who aren't disciplined enough to write reliable code. They need a language to provide the needed discipline.

They tried making their own language [C#], and now understand that they are not good enough at that, either. Rust, or a fork of Rust, might suffice.

A fork? Yuck. BAReFO0t alleges an ALLeGATI0n:

Embrace, Extend, Extinguish. Instead of just contributing to Rust to get the features you need.

But but but, this is the new, cuddly Microsoft, right? sectiondetail sounds conflicted:

I'm about as old-school anti-Microsoft as it gets … but even I have to admit that they've been pretty serious in offering olive branches to the broader open source community in the past decade. I'm prepared to give them the benefit of the doubt.

If someone had told me ten years ago that my favourite code editing environment on the Linux desktop ten years later would be browser-tech-based, MIT-licensed, and made by Microsoft, I'd have stared at them like they had just grown a second head. But here we are.

And why “Verona”? Nick Farrell explains—Windows 10 gets all rusty:

Verona is a city in Italy which is much like Venice, only there is no water in the streets – which is why its gondoliers all suffer from sprained wrists.

So you’re interested in refactoring your code in Rust? Heed Michael F. Bryan—How to rewrite it in Rust:

In most languages you’d need to rewrite the entire [app] from the ground up, waiting until the port is almost finished before you can start seeing results. These sorts of ports tend to be quite expensive and error-prone, and often they’ll fail midway and you’ll have nothing to show for your effort.

However, Rust has a killer feature when it comes to this sort of thing. It can call into C code with no overhead (i.e., the runtime doesn’t need to inject automatic marshalling like C#’s P/Invoke) and it can expose functions which can be consumed by C just like any other C function.

This opens the door for an alternative approach: Port the library to Rust one function at a time.

When you start out with something like this it’s tempting to dive into the most important functions and port those first. … It can be easy to bite off more than you can chew and end up either wasting time or becoming demoralized and give up. Instead … look for the easiest item.

The best thing about this method is you are incrementally improving a codebase while ensuring the application still works and avoiding a ground-up rewrite.

Meanwhile, Way Smarter Than You is here all week (try the veal):

Isn't Windows rusty enough?

The moral of the story?

Whatever Microsoft decides to do, it’s clear that Rust has great potential for writing secure code—and refactoring old code to be more secure.

And finally

Finally, after years of struggling to get the old USB connectors positioned the correct way, we have found peace

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: S. Hermann and F. Richter (Pixabay)

Keep learning