Google has given the Android platform support for the Rust programming language. By doing so, the company hopes to prevent future bugs that lead to security problems.
In a blog post, Google explains that the company wants to use Rust mainly for the code of the deeper layers of the operating system, such as the bootloader and the drivers. Currently, Google still uses C and C++ for that. Those languages offer a lot of control and predictability and are light on resources but put the responsibility of managing memory in the developer’s hands. This usually works well, but bugs do occur, and such errors create security problems. Android apps are generally written in Java. Thereby, the memory is managed by the Android Runtime, which prevents memory bugs.
The Rule of 2
To prevent security problems from occurring, Google applies the Rule of 2 for developing Android processes. In any situation, a maximum of two of the following three unsafe situations may occur:
- The code processes untrustworthy input;
- The code is not operating in a strong sandbox environment;
- The code is written in an unsafe language (C/C++).
The result is that code in C/C++ does not have to deal with unsafe input unless it is in a well-enclosed sandbox. The disadvantage of this approach, however, is that working with sandboxes is intensive for the system: there is more overhead, more memory usage and more latency. What’s more, bugs are not completely excluded with this approach, which means that attackers can still cause damage with by chaining multiple vulnerabilities together.
That is why Google has decided to use Rust. In terms of syntax, this programming language is very similar to C++, but thanks to its borrow checker, it protects the memory from programming errors, making it memory-safe. Rust was originally designed by Mozilla contributor Graydon Hoare but is supported by an increasing number of organisations. The language is enormously popular with developers and recently got its own interest and management organisation: the Rust Foundation. This has made the language less dependent on Mozilla.
By programming in Rust, Google hopes to eventually spend much less time tracking down and solving bugs. However, the company does not intend to completely rewrite Android in Rust. Most of the bugs are found within a year and after that, the code quickly matures. Google does not see the point of rewriting mature code with relatively few bugs. Especially since we are talking about millions and millions of lines of code.