In an effort to reduce memory safety bugs, Google has announced that the open source version of Android will have support for parts of the operating system to be built in Rust.
While apps on Android can be written with managed languages such as Java and Kotlin, these languages do not have the “control and predictability” of lower level languages such as C and C++ used to build the Android operating system.
“They are light on resources and have more predictable performance characteristics. For C and C++, the developer is responsible for managing memory lifetime. Unfortunately, it’s easy to make mistakes when doing this, especially in complex and multithreaded codebases,” the Android team wrote in a blog post.
“Rust provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership and runtime checks to ensure that memory accesses are valid. This safety is achieved while providing equivalent performance to C and C++.”
As it currently stands in Android, if a process written in C/C++ is processing untrustworthy input, it runs in a sandbox, which Google said is expensive and still allows for the possibility of attackers chaining security vulnerabilities together to exploit systems.
Additionally, Google found half of its memory bugs were in code from under a year old, and hence it made sense to target Rust at new code, rather than rewriting the OS in Rust.
“Even if we redirected the efforts of every software engineer on the Android team, rewriting tens of millions of lines of code is simply not feasible,” the team said.
“The comparative rarity of older memory bugs may come as a surprise to some, but we’ve found that old code is not where we most urgently need improvement. Software bugs are found and fixed over time, so we would expect the number of bugs in code that is being maintained but not actively developed to go down over time.”
One such system to get the Rust treatment is Gabeldorsche, which is billed as the successor to Bluetooth.
The Android team also touched on the issue of trying to detect and replicate memory bugs to be able to fix them.
“For complex C/C++ code bases, often there are only a handful of people capable of developing and reviewing the fix, and even with a high amount of effort spent on fixing bugs, sometimes the fixes are incorrect,” they wrote.
“Bug detection is most effective when bugs are relatively rare and dangerous bugs can be given the urgency and priority that they merit. Our ability to reap the benefits of improvements in bug detection require that we prioritize preventing the introduction of new bugs.”
One of the benefits of using Rust is the additional constraints and checking inherent in the language, such as forcing the initialization of variables, which could prevent the root cause of up to 5% of security vulnerabilities in Android, Google said.
“Adding a new language to the Android platform is a large undertaking. There are toolchains and dependencies that need to be maintained, test infrastructure and tooling that must be updated, and developers that need to be trained,” the team said.
“For the past 18 months we have been adding Rust support to the Android Open Source Project, and we have a few early adopter projects that we will be sharing in the coming months.”
Earlier this year, Rust moved out of Mozilla and into its own foundation. Mozilla has used Rust to build its Servo browser engine and replace 160,000 lines of C++ with 85,000 lines of Rust.
Mozilla recently ran ThreadSanitizer across Firefox to flush out any data races in the C/C++ left in the browser’s codebase.
With the mixed codebase, Mozilla was concerned about races being obfuscated when passing through Rust code, but nevertheless picked up a pair of pure Rust races.
“Overall Rust appears to be fulfilling one of its original design goals: Allowing us to write more concurrent code safely,” it said.
“Both WebRender and Stylo are very large and pervasively multi-threaded, but have had minimal threading issues. What issues we did find were mistakes in the implementations of low-level and explicitly unsafe multithreading abstractions — and those mistakes were simple to fix.
“This is in contrast to many of our C++ races, which often involved things being randomly accessed on different threads with unclear semantics, necessitating non-trivial refactorings of the code.”
Unsurprisingly, Mozilla recommended any new projects be built in Rust rather than C or C++.