Google, Microsoft Take Refuge in Rust Language's Better Security

When Fortanix launched in 2016, the company made a decision: It would commit to the one-year-old Rust's programming language to benefit from its security strengths and performance.

Seven years later, Fortanix's commitment to Rust has proved to be a success. The company has built support for Intel Software Guard Extensions (SGX), which allows the use of secure enclaves for user data, and benefits from the Rust compiler's ability to avoid some classes of vulnerabilities, especially memory safety issues, says Jethro Beekman, vice president of technology and CISO at the data-security firm.

"There were some early adopters that really saw that potential, and after doing some thorough research and getting some practical experience with it, we decided to basically go all in," he says. "The tooling and the compiler really helps you avoid mistakes."

Eight years after its 1.0 release, the Rust language and development platforms continue to gain popularity among developers and companies focused on secure code. While Rust has a far lower TIOBE rating than C or C++, the language is seeing significant additional users year over year. Rust also has a committed following: While only 12% of programmers used the technology in the past year, nearly 85% of those developers want to continue using the language, making it the "most admired" programming language, according to the Stack Overflow "2023 Developer Survey."

Rust adoption continues to grow exponentially. Source: Lib.rs (https://lib.rs/stats)

As part of an effort to eliminate classes of bugs, for example, Microsoft is rewriting parts of the kernel using Rust, said David Weston, vice president of enterprise and OS security at Microsoft, during BlueHat Israel in March. The company has created DWriteCore in Rust to turn font parsing into a memory safety feature and is currently working on experimenting with writing parts of the graphics driver interface (GDI) in Rust. The company has seen performance increase by 5% to 15% in early versions of the code.

"I would say that we are at the crawl stage ... for Rust in Windows," Weston said in a video recording of his presentation. "We're experimenting with a tool chain; we're looking at the code gen[eration] and are trying to figure out if this is worth what it costs to learn Rust."

Microsoft, a sponsor of the Rust Foundation, has committed to the language, however. "You will actually have Windows booting with Rust in the kernel," Weston says.

Google, 1Password, and Others Onboard

Google is also a major supporter of Rust. The company attributes a drop in the share of memory-safety vulnerabilities in Android to the transition to Rust, Kotlin (a functional programming language), and Java from C and C++. In 2022, memory safety vulnerabilities, such as buffer overruns, accounted for less than half of all vulnerabilities in Android.

"We generally recommend the use of Rust anywhere that you are considering authoring new C [or] C++ code," says Lars Bergstrom, director of engineering for Android programming languages at Google and the chair of the Rust Foundation's board of directors. "So Rust is often a good choice where you need tight control of the underlying system and its resources, such as memory."

The National Security Agency also recommends that developers seek alternatives to C and C++ for security-critical code because those languages rely too much on the developer not making mistakes.

While Fortanix has committed to using Rust extensively, other companies are more tactical about how they introduce the language into their codebases. Password and identity-management firm 1Password, which requires solid security to protect users' password stores, has adopted Rust as its development platform for its core data security components, using other languages for the front-end interface on different operating systems, the company stated in a blog post.

Microsoft is in a similar situation and will not be rewriting large swaths of its codebase in Rust, Weston said.

"I hate to tell you — I know Rust fans out there — rewriting Windows in Rust probably isn't going to happen anytime soon," he told attendees at the BlueHat Israel conference. "While we love Rust, we need a strategy that also includes securing more of our native code."

Learning Curve Not So Steep

The Rust Foundation has seen a great deal of adoption by embedded and connected device firms — especially in automotive, industrial, and aerospace applications — as well as in creating Web and cloud applications in another new platform, WebAssembly, says Rebecca Rambul, executive director and CEO of the Rust Foundation.

"These kinds of organizations have been among the ... first outside of the big tech organizations to really see the potential of Rust, not just because of the security, but because of the speed and the performance," she says. "You get that level of security because of the memory safety, but you don't lose anything from the performance perspective."

When Fortanix started, every programmer had to learn Rust. While the common wisdom is that the language is hard to learn, more than two-thirds of programmers learning Rust said they feel confident in contributing to a project within two months, according to a survey of internal programmers by Google.

While new programmers picked up Rust quickly, the compiler continues to be slower than many would like, the survey also found.

The language does require some adjustment, acknowledges Michael Erquitt, a senior security engineer at secure-coding training firm Security Journey. In addition, programmers have to develop their own sense of which functions and applications would benefit from the language.

"There are always inherent trade-offs when choosing programming languages and tools," Erquitt says. "Rust as a modern programming language can be used for a wide array of projects, but the choice ultimately comes down to what best satisfies your project's functional/customer requirements."