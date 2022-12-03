



Google’s decision to use Rust in Android’s new code to reduce memory-related flaws seems to be paying off. Android’s memory safe vulnerabilities have been cut in half. This coincides with Google’s switch from C and C++ to Rust, a memory-safe programming language.

This is the first year that memory safety vulnerabilities are no longer the largest category of security flaws, and since Google made Rust as the default for new code in the Android Open Source Project (AOSP)1 Years later.

Other memory-safe languages ​​that Google used for Android include Java and Java-compatible Kotlin. C and C++ are still the dominant languages ​​in AOSP, but Android 13 is the first version with mostly memory-safe languages ​​for new code. After Google adopted Rust for his AOSP in April 2021, Rust now accounts for about 21% of new code. This year’s Linux kernel project adopted Rust as the new official second language for C.

Android version 10 in 2019 had 223 memory safety bugs, while Android 13 has 85 known memory safety issues.

Jeffrey Vander Stoep, a security software engineer at Android, said memory safety vulnerabilities decreased from 76% to 35% of all Android vulnerabilities during this period. With fewer memory security vulnerabilities, we’ve also seen fewer remotely exploitable critical flaws.

Vander Stoep said the change was not caused by “heroism”, just developers using the best tools for the job. The Android team plans to increase its use of Rust, but has no plans to remove C and C++ for system programming.

“If there’s just one characteristic that makes this possible, it’s humility. At every level of the Android team, there’s a willingness to say, ‘How could we do it better?’ With the fortitude to execute and make changes, including,” he said in a tweet.

“But humility has to go both ways. Rust won’t solve all problems, and there are areas where C/C++ will continue to be the most practical option for development, at least for some time. Yes, that’s fine.

“We will continue to expand our use of Rust and continue to invest in and roll out improvements to C/C++ while working to reduce it over time.”

According to Vander Stoep, correlation is not considered causation, but the proportion of memory safety and security bugs that dominate high-severity bugs closely aligns with the language used for new code. I am doing it.

According to Google, security tools like fuzzing also have a large impact on memory safety bugs.

“We continue to invest in tools that make C/C++ safer. Over the past few releases, we have introduced Scudo hardened allocators, HWASAN, GWP-ASAN, and KFENCE to Android devices. Vulnerabilities discovered using these tools contributed to the prevention of both new and old code vulnerabilities included in the above assessment. These are important tools, and they are part of our C/C++ code. projects don’t see any major changes in the composition of vulnerabilities, largely due to the move to memory-safe languages,” writes Vander Stoep.

He goes on to say that Android 13 has a total of 1.5 million lines of Rust code, which is about 21% of all new code. So far, Google has not identified a single memory safety vulnerability in his Rust code on his Android.

“This demonstrates that Rust has served its intended purpose of preventing the most common sources of Android vulnerabilities. Media, Bluetooth, NFC, etc. Based on this historical vulnerability density, Rust could have already prevented hundreds of vulnerabilities from reaching production.

Google finds the transition from C/C++ difficult, but is working on a project for Android. However, it has not migrated to Rust for Chrome.

However, for Android, Google has implemented a user-space hardware abstraction layer (HAL) in Rust, adding support for Rust in trusted applications. We’ve also migrated the Android Virtualization Framework’s virtual machine firmware to Rust. Also, with Rust support in Linux kernel version 6.1, Google brings memory safety to the kernel, starting with the kernel driver.

