Google has announced the inclusion of the Rust programming language among the languages allowed for the development of the Android platform. The Rust language compiler was included in the Android source tree back in 2019, but support for the language has remained experimental. One of the first Rust-based components to be shipped to Android are new implementations of the Binder interprocess communication mechanism and the Bluetooth stack.
The introduction of Rust was made as part of a project to increase security, promote safe programming practices, and improve the efficiency of identifying problems when working with memory in Android. It is noted that about 70% of all dangerous vulnerabilities identified in Android are caused by errors in working with memory. The use of the Rust language, which focuses on safe memory management and provides automatic memory management, will reduce the risk of vulnerabilities caused by memory errors, such as memory access after freeing and buffer overruns.
Memory-safe handling is provided in Rust at compile time through reference checking, keeping track of object ownership and object lifetime (scope), as well as through evaluation of the correctness of memory access during code execution. Rust also provides protection against integer overflows, requires mandatory initialization of variable values before use, handles errors better in the standard library, applies the concept of immutable references and variables by default, offers strong static typing to minimize logical errors.
On Android, memory-safety is provided in the already supported languages Kotlin and Java, but they are not suitable for developing system components due to high overhead. Rust makes it possible to achieve performance close to C and C ++, which allows it to be used to develop low-level parts of the platform and components for interacting with hardware.
To ensure the security of C and C++ code, Android uses sandbox isolation, static analysis, and fuzzing testing. The possibilities of sandbox isolation are limited and have reached the limit of their capabilities (further fragmentation into processes is not advisable in terms of resource consumption). Among the limitations of using sandbox are the high overhead and memory consumption caused by the need to spawn new processes, as well as the additional delays associated with the use of IPC.
At the same time, sandbox does not eliminate vulnerabilities in the code, but only reduces risks and complicates the attack, since exploitation requires the identification of not one, but several vulnerabilities. Methods based on code testing are limited in that in order to identify errors, it is necessary to create conditions for the manifestation of the problem. It is not possible to cover all possible options, so many errors go unnoticed.
For system processes in Android, Google adheres to the “rule of two”, according to which any code you add must meet no more than two out of three conditions: work with unvalidated input, use an unsafe programming language (C / C ++), and run without hard sandbox isolation (the presence of elevated privileges). It follows from this rule that the code for handling external data must either be stripped down to the minimum privileges (isolated) or be written in a secure programming language.
Google does not set itself the goal of rewriting existing C / C ++ code in Rust, but plans to use this language to develop new code. It makes sense to use Rust for new code, as statistically most bugs come up in new or recently changed code. In particular, about 50% of detected Android memory bugs are found in code written less than a year ago.
Source: opennet.ru