Google will use Rust to prevent memory bugs in the Android OS, one of the most frequent causes of security vulnerabilities. As a first step in this direction, the Android Open Source Project now supports Rust as an OS development language.
According to Jeff Vander Stoep and Stephen Hines, engineers in the Android Team,
Memory safety bugs in C and C++ continue to be the most-difficult-to-address source of incorrectness. We invest a great deal of effort and resources into detecting, fixing, and mitigating this class of bugs, and these efforts are effective in preventing a large number of bugs from making it into Android releases.
The problem is C/C++ may be hard to get right, especially with complex or multi-threaded code, and this leads to memory bugs that, in spite of all prevention efforts, account for about 70% of Android high-severity security vulnerabilities.
While large parts of the Android ecosystem, including apps and most high-level frameworks, are written in Java or Kotlin which provide a more secure memory-management environment, lower-level components of the OS are written in C/C++. Those include the boot loader, the hypervisor, drivers, and many more.
The traditional approach to making C/C++ code less incorrect, thus secure, is bug detection. This is crucial in all languages, say Google engineers, albeit inefficient and expensive. This is mostly due to bugs being hard to detect and expensive to fix.
An effective approach to making C/C++ code less insecure is sandboxing, which comes with its own costs, though, say the two Android engineers. Such costs include increased overhead and latency and higher memory consumption. Additionally, sandboxing does not rule out the possibility of chaining together vulnerabilities present in different components.
Thanks to Rust features, Google expects to reduce the density of bugs, which in turn should make it possible to replace sandboxing with a lighter mechanism.
When it comes to deciding which parts of the Android OS to rewrite in Rust, a key observation is that older components are usually safer:
Most of our memory bugs occur in new or recently modified code, with about 50% being less than a year old. […] The comparative rarity of older memory bugs may come as a surprise to some, but we’ve found that old code is not where we most urgently need improvement.
Google engineers have been working to add Rust to the Android platform for the past 18 months and expect that the whole process will require years. One of the first projects to be rewritten in Rust was Android Bluetooth stack. Another Android component written in Rust is Keystore 2.0.
Google’s announcement is not the first of this kind by companies stating their interest in exploring the possibilities that Rust could reduce software bugs and improve security. At the end of 2019, Microsoft engineers Ryan Levick and Sebastian Fernandez presented their work at Microsoft to rewrite lower-level Windows components in Rust.