Last week, MSRC (Microsoft Security Response Center)Revealed plans to embrace RustThen they expanded the topic into a series, further explaining the need to use a secure system programming language and the reasons for choosing Rust.
In the latest article in the series, Ryan Levick, MSRC's chief cloud development advocate, explains why they think the Rust programming language is currently the best choice in the industry, not least because it can write system-level programs in a memory-safe manner. .
“First, there are already many excellent memory security languages that are widely used inside and outside Microsoft, including .NET languages (like C# or F#) and other languages (such as Swift, Go, and Python). We encourage people who currently use C or C++ to take into account any of these languages. But now I’m talking about security.systemThe need for programming languages that require the speed and predictable performance that C, C++, and Rust can provide. Languages that implement memory security through garbage collection are not ideal for system programming because their uptime can lead to unpredictable performance and unnecessary costs. ”
Performance and control
Levick pointed out that it's best to think about things that can't be abandoned from C and C++ —— performance and control to understand more clearly why Rust is a good choice. Like C and C++, Rust has a minimal optional "runtime" Rust's standard library also relies on libc, but the standard library is also optional, so it is possible to run on a platform without an operating system.
Still like C and C++, Rust provides fine-grained control over when programmers allocate memory and allocate memory, giving programmers a clear idea of how exactly the program will execute each time it runs. What does this mean for performance in terms of raw speed, control, and predictability? That is, “Rust, C, and C++ can be thought of in similar terms”.
The difference between Rust and C and C++ is its strong security. To some extent, Rust is completely memory safe. As mentioned in the previous article, about 70% of Microsoft's security issues are memory security issues. If these software is written in Rust, then 70% of the security issues probably don't exist.
In system programming, sometimes programmers must perform operations that cannot be statically verified as safe. Rust provides programmers with the tools to wrap these operations in a secure abstraction, which means that things that were downgraded to code comments or conventions can be statically enforced by the Rust compiler.
More than just performance and safety
Rust's initial interest in MSRC was due to the above performance and security features. But its charm doesn't stop there. There are already other Microsoft teams that have started using Rust for the following reasons:
Levick said there is enough reason to believe that Rust will have a bright future, “although it is too early to adopt Rust on a large scale, the early adoption of Rust is usually very positive and positive”. They believe that Rust will change the rules of the game when writing secure system software. Rust provides the performance and control needed to write the underlying system while enabling software developers to write more robust and secure programs.
However, MSRC discovered some issues when researching Rust, including how to standardize Rust's use of unsafe supersets, lack of first-class interoperability with C++, and interoperability with existing Microsoft tools. Sex.
This really challenges Microsoft's adoption of Rust, but MSRC is still looking forward to it: “We are excited about these possibilities. While there are still many questions about how Rust fits into the entire Microsoft project, we encourage others to join and seriously consider the language to meet their system programming needs. ”