After bringing support for the systems programming language Rust to Android, Google is now looking to bring it to the Linux kernel to reduce security flaws.
As Google explained last month, Rust — a language that emerged from Mozilla — provides memory safety guarantees to the Android operating system, which has historically been written in C and C++. Google is targeting Rust at new Android code, rather than rewriting the millions of lines of existing code in Rust.
Now it’s time to move onto the Linux kernel that underlies Android. As ZDNet’s open source authority Steven J. Vaughan-Nichols reported last month, Linux kernel developers think it makes sense to write new parts of the kernel in Rust rather than rewriting the entire Linux kernel, which contains over 30 million lines of code largely written in C.
“We feel that Rust is now ready to join C as a practical language for implementing the kernel. It can help us reduce the number of potential bugs and security vulnerabilities in privileged code while playing nicely with the core kernel and preserving its performance characteristics,” explains Wedson Almeida Filho of Google’s Android Team.
Filho notes that the density of memory safety bugs in the Linux kernel is quite low. However, when they do occur, the Android security team generally considers them high-severity flaws.
To show where Rust can benefit Linux kernel developers, Google has developed an example driver called ‘semaphore’.
“How Rust can assist the developer is the aspect that we’d like to emphasize,” notes Filho. “For example, at compile time it allows us to eliminate or greatly reduce the chances of introducing classes of bugs, while at the same time remaining flexible and having minimal overhead.”
Linux kernel developer Miguel Ojeda this week released a request for comments (RFC) to the Linux mailing list outlining a proposal for a second language in the kernel along with several patches for the Linux kernel written in Rust.
Ojeda also set up the Rust for Linux group, which Google’s Android Team has also joined.
“We know there are huge costs and risks in introducing a new main language in the kernel. We risk dividing efforts and we increase the knowledge required to contribute to some parts of the kernel,” writes Ojeda.
“Most importantly, any new language introduced means any module written in that language will be way harder to replace later on if the support for the new language gets dropped. Nevertheless, we believe that, even today, the advantages of using Rust outweighs the cost.”
As noted by Phoronix, Linux kernel creator Linus Torvalds has already raised some concerns with Rust, although he also said that “on the whole I don’t hate it.” However, Torvalds added that “the ‘run-time failure panic’ is a fundamental issue”.
Filho explained that, since Rust is new to the kernel, there is an opportunity to improve processes and documentation.
“For example, we have specific machine-checked requirements around the usage of unsafe code: for every unsafe function, the developer must document the requirements that need to be satisfied by callers to ensure that its usage is safe; additionally, for every call to unsafe functions (or usage of unsafe constructs like dereferencing a raw pointer), the developer must document the justification for why it is safe to do so,” writes Filho.
Rust, which only reached 1.0 in 2015, appears to be gaining traction with developers. AWS, Huawei, Google, Microsoft, and Mozilla are backing the Rust Foundation, which launched in February. It’s believed Shane Miller, AWS senior engineering manager, has been elected the first chairperson of the foundation.