2 min Devops

‘Microsoft is rewriting its core code in Rust’

‘Microsoft is rewriting its core code in Rust’

Microsoft is rewriting core Windows libraries in the Rust programming language, The Register reports. The switch to a more memory-safe language is said to be underway already, but the move will take some time.

Microsoft has one of the world’s largest C/C++ codebases, and all of its core products run on it, from Windows and Office to the Azure Cloud. However, since C++ is not a memory-safe language, many memory bugs pop up in their codebase, which in turn eats up a lot of developer time in fixing the flaws.

Rust, on the other hand, is very memory-safe. Its toolchain aims above all to prevent developers from building and shipping exploitable code. This, in turn, helps prevent threat actors from exploiting vulnerabilities in the code. As The Register explains: “Rust is focused on memory safety and similar protections, which cuts down on the number of bad bugs in the resulting code”.

Memory safety is currently trending in the programming world. A Consumer Reports survey published in January found that “roughly 60 to 70 percent of browser and kernel vulnerabilities—and security bugs found in C/C++ code bases—are due to memory unsafety, many of which can be solved by using memory-safe languages”.

In pursuit of memory-safe code, Microsoft’s competitors are already hopping on the Rust bandwagon. Google, for example, has been looking at Rust for its Android platform since 2021.

Microsoft began looking at alternative programming languages that could help fix their memory safety issues last year. They have now, apparently, settled on Rust as the new solution.

Still, the migration away from C++ will not happen overnight. David Weston, director of OS security for Windows, announced the Rust development in the Microsoft kernel at BlueHat IL 2023 in Tel Aviv, Israel, last month.

“Rewriting Windows in Rust probably isn’t going to happen anytime soon,” Weston told the audience, “so while we love Rust, we need a strategy that also includes securing more of our native code.”