Rust for firmware: Security through memory-safe programming languages
The Android team explains the gradual introduction of Rust in firmware to reduce security vulnerabilities and increase memory security.
(Image: Callum Bainbridge / Shutterstock.com)
Android has been using memory-safe programming languages such as Rust for some time now to increase the security of the operating system. Now this approach is being extended to the firmware, especially in security-critical areas. Google's Security Blog contains an article from the Android team in which the two authors Ivan Lozano and Dominik Maier explain the advantages and the process of introducing Rust into existing firmware code bases.
Memory security for firmware
Firmware acts as an interface between hardware and higher-level software and, according to the blog post, is often written in less secure programming languages such as C or C++. These languages are apparently susceptible to security vulnerabilities that attackers can exploit. For the authors of the article, Rust offers a memory-safe alternative with comparable performance and should enable interoperability with C without additional overhead.
Gradual introduction of Rust
The introduction of Rust into existing firmware code bases is to take place gradually. First, new and particularly high-risk code sections are to be replaced. This primarily includes code that processes external, untrusted input. The use of Rust for new developments and the gradual replacement of existing components should reduce the number of security vulnerabilities in the long term.
Technical challenges
However, the introduction of Rust in firmware requires some technical adjustments. These include, for example, the use of no_std to use Rust without the standard library, the creation of Foreign Function Interface (FFI) bindings for interaction with existing C code and the adaptation to bare-metal environments in which no operating system is present.
When selecting suitable Rust libraries, these should be well documented, tested and no_std-compatible, according to the blog post. In cases where libraries are not no_std-compatible, they can be ported. However, this procedure requires adjustments to the code in order to remove the dependency on the standard library.
(Image: Magergram/Shutterstock)
On November 5, the betterCode() Rust will take place for the fourth time. This year, the focus will be on embedded development, and one presentation will be dedicated to the use of Rust in safety-critical systems.
The program of the online conference hosted by iX and dpunkt.verlag will be published at the end of June. Until then, tickets are available at the special blind-bird price of 199 euros (plus 19% VAT).
Creating a Rust shim
A shim in Rust is used to integrate existing C/C++ APIs. This apparently enables the use of safe Rust functions in the firmware.
A Rust shim is a thin layer or adapter that is used to integrate Rust code into existing systems written in a different programming language (usually C or C++). The shim takes on the task of mapping the interfaces (APIs) of the existing libraries or functions, thus enabling seamless interoperability between Rust and the other programming language.
Optimization of the memory requirements
To optimize performance and memory usage, the Android team recommends using Link-Time Optimization (LTO) and other compiler settings. These optimizations can reduce the output size of the library and improve performance.
More information on the gradual introduction of Rust into existing firmware codebases can be found in the article on the Google Security Blog.
(mdo)
