Microsoft: Rust is the "best opportunity" in the security systems programming industry

Posted Jun 26, 20204 min read

No matter how much tool resources and training resources the software company invests in. Ryan Levick believes:"C++ is not a safe language in nature," Microsoft cloud development advocate, in Last month s AllThingsOpen Virtual Conference explained why Microsoft gradually moved from C/C++ to Rust to build its infrastructure software. And encourage other software industry giants to consider the same problem.

He said:"The language we use is very old and comes from different eras, so it cannot provide us with the ability to protect ourselves from such vulnerabilities. C++ is not a memory-safe language."( Portal )

In fact, Microsoft has deemed C++ no longer acceptable for writing mission-critical software. The industry sorely needs to move to a performant, memory-safe language for its low-level system work. And the best choice on the market today is Rust , Levick said.
In fact, Microsoft believes that C++ is no longer accepted in writing mission-critical software. The industry very much needs to use high-performance, memory-safe language in its low-level system work. Levick said that the best choice on the market today is [Rust]( https://www.rust-lang.org/ ).

C/C++ cannot be fixed

Today, C and C++ are common languages for writing core system software. It is fast, and there is only assembly language between the code and the machine itself.

However, all memory-related bugs(many of which are security risks) caused by these languages paralyze the entire industry. Levick said that now, 70%of the CVE from Microsoft is a memory security issue. He said:"Although we have made great efforts to solve this problem, it still seems to be commonplace."

From a financial perspective, it makes sense, given the soaring cost of remedying this never-ending stream of memory-related errors. Back in 2004, each memory-related error cost industry about $250,000 each, and that Microsoft estimation is probably on the lower -end, Levick said.

Of course, there are a number of efforts to boost C++ security, but while each is effective in the way it does, none entirely solves the problem.

One approach that has been long floated is to do more programmer training in how to write safer code. But, there is zero evidence that doing holistic training of C and C++ developers will actually fix this issue in any significant way, Levick said, citing Microsoft's own heaps of dev internal training.

Static analysis is cited as another possible solution. But static analysis comes with too much overhead:It needs to be wired into the build system. So there's a lot of incentive not to use static analysis, Levick said. If it's not on by default it won't help."

The same goes for runtime checks: It s impossible or it s very least extremely hard to know when runtime checking contracts are used and when they re not, he said, adding that they also come with an operational overhead.

Best opportunity in the industry

In response to this problem of memory-related errors, the Microsoft Security Response Center launched the [Safe Systems Programming Language]( https://www . youtube.com/watch?v=t3dKNcJXtbg) initiative. There, some work was dedicated for shoring up C/C++. Verona , a new programming language being created for safe low-level programming, was also created here. But the third prong of the project strategy, the one they are putting the most faith in, is to support the industry's best chance for addressing this issue head-on.

"And we believe that to be Rust," he said.

Performance-wise, Rust is on par with C/C++, and maybe even slightly faster. Rust brings developer productivity, with package management, modern testing frameworks and the like. And programmers love Rust for it.

But the main reason Microsoft is so enamored with Rust is that it is a memory-safe language, one with minimal runtime checking. Rust excels in creating correct programs. Correctness means, roughly, that a program is checked by the compiler for unsafe operations, resulting in fewer runtime errors. Unsafe keyword is an option, but not the default. Unsafe Rust code is almost always a subset of a larger body of safe code. Unsafe mode is necessary for memory-assigning jobs like writing device drivers . But even here the unsafe portions of memory are encapsulated behind an API.

This ability to program safely is not one that should be taken lightly, Levick said. In fact, it can provide more than a 10x improvement, making it worthwhile for investment. This is largely because pretty much all C/C++ code needs to security audits for unsafe behavior, whereas unsafe code written in Rust that would need to be checked is only a small subset of most code bases.

While Microsoft is bullish on Rust, Levick admits that Microsoft core developers won t stop using C/C++ anytime soon.

"We have a lot of C++ at Microsoft and that code is not going anywhere," he said. "In fact, Microsoft c++ continues to be written and will continue to be written for a while."

A lot of tooling is built around C/C++. In particular, Microsoft binaries are now almost completely built on the Microsoft Visual C++ compiler which produces MSVC binaries, whereas Rust relies on LLVM .

Perhaps the biggest challenge, though, is cultural. There is just some people that just want to get their job done in the language that they already know, Levick admitted.

Still, the industry seems to be moving towards Rust. Amazon Web Services uses it, in part for deploying the Lambda serverless runtime , as well as for some parts of EC2 . Facebook has started using Rust, as has Apple, Google, Dropbox and Cloudflare.

The dates All Things Open 2020 have been announced: Oct. 20-22 .

The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story or leave a comment to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: _ feedback @thenewstack.io ._

Amazon Web Services is a sponsor of The New Stack.