2 min Devops

AWS is paying to make Rust safe

AWS is paying to make Rust safe

Rust has emerged as a memory-safe alternative to C and C++. However, the standard library still often uses unsafe functions as 7,500 out of 35,000 of them fall into this category. AWS and the Rust Foundation plan to eliminate them through crowdsourcing and a financial carrot on a stick.

Builders of Rust functions must expressly state that a function is insecure, which does not necessarily eliminate the memory-safe nature. After all, it is up to the developer to properly manage memory if they have turned off the safety feature, which is otherwise handled by the language itself. Some actions with the Rust language are also impossible without this fallback route.

AWS pulls pocket money

AWS has flagged the “incorrect” Rust code as a problem. It wants to verify the standard library to stop “undefined behavior” (UB) from occurring, as insecure functions are up to the developer to prevent if they are turning off Rust’s natural guardrails.

AWS, together with the Rust Foundation, is casting the various pain points into challenges. In return for each challenge, there is a financial reward. These can include verifying the standard library, but also building tools to help with this.

Several tools already exist to assist developers. For example, Aeneas translates Rust into mathematical representations of the language to prove that Rust is secure.

The promise of Rust fulfilled?

“Rust aims to be a secure and performant language,” AWS says. But evidently, it needs a push in the right direction. With the programming language seeing increasing adoption but not yet ubiquitous, now is precisely the time to put things in order. Unlike C and C++, which are mostly Rust’s predecessors when it comes to low-level code, the language is an intentional renovation.

Eliminating memory-related vulnerabilities is ultimately the goal. However, GitHub users have repeatedly shown that even Rust code that follows all the rules can still be insecure. In other words, there is more to it than just the mountain of insecure features that virtually every large-scale Rust project uses. Whether AWS will work with the Rust Foundation to fix this is doubtful.

Also read: Why the Rust programming language keeps getting more popular