MMS • Sergio De Simone
Microsoft has been recently experimenting with Rust to improve the safety of their software. In a talk at RustFest Barcelona, Microsoft engineers Ryan Levick and Sebastian Fernandez explained the challenges they faced to use Rust at Microsoft. Part of Microsoft journey with Rust included rewriting a low-level Windows component, as Adam Burch explained.
According to Fernandez and Levick, the software industry is sitting on insecure technological foundations that are costing a lot of money. A very conservative estimate for Microsoft is each issue discovered in the field costs $150,000. The cost may be even greater for organizations that happen to be the victims of a security vulnerability exploit. This was exactly the case with the British national health care system, which was target of a ransom attack that costed it an estimated $4 billion.
Much of this, they say, is related to the use of C and C++.
C and C++ are extremely great at writing low level systems. They use very little resources on the machine. They are, in fact, really the basis on which we create our systems today but the issue with that, of course, is that they are very, very unsafe and, when they were developed, did not really have safety in mind.
This explains why Microsoft is experimenting with Rust, hoping it can help making software bugs, and specifically those leading to security vulnerabilities, impossible.
Rust allows us to write performant security critical components safely.
This is actually a claim waiting to be proved, say the two engineers, but they hope it will turn out to be true.
A major hindrance towards this goal is it is not possible to rewrite everything from scratch in Rust. Instead, Rust shall coexist with other technologies, which is not always easy. For example, speaking of Windows, a first hurdle is LLVM, Rust compiler, which provides only subpar Windows support. Similarly, Cargo, Rust build tool, cannot manage the whole build system at Microsoft and shall be integrated with their existing build system.
This line of reasoning applies to all Rust tools as well as for shared executables which are encapsulated in DLLs and that are mostly written in C and C++ and support COM, WinRT, and Win32.
In addition to this, there are other challenges that an organization like Microsoft has to overcome, including the human factor. Rust indeed should be adopted also by people who may have been writing C and C++ for many years and shall be convinced of the convenience of switching over.
The good news about this is that before, when we’ve introduced Rust to seasoned C++ programmers, they generally are able to get it rather quickly because it kind of just formalises things that they already have in their head. When people are coming from other backgrounds, it might be a little bit more difficult, but while the learning curve is quite steep, generally people get through it and once they are through that learning curve, they are quite productive.
Adam Burch, software engineer at Microsoft with the Hyper-V Team, shed some light on the kind of projects Microsoft is using Rust for. Burch recounted his experience rewriting a low-level system component of Windows and described it as a breath of fresh air thanks to Rust compiler guarantees, :
The memory and data safety guarantees made by the compiler give the developer much greater confidence that compiling code will be correct beyond memory safety vulnerabilities.
Burch shares Fernandez and Levick’s optimism about C/C++ developers quickly picking up the language and includes couple of interesting practical suggestions for interfacing Rust with C and C++ code and keeping the language use safe, including the generation of Rust data structure to represent C data and around COM APIs.