Google announced open source version of Android will have support for parts of OS
In an effort to reduce memory safety bugs, Google has announced that the open source version of Android will have support for parts of the operating system built into Rust.
While applications on Android can be written with managed languages such as Java and Kotlin, these languages do not have the “control and prediction” of lower-level languages such as “and C ++” that are used to build Android operating systems. is done.
The Android team wrote, “They shed resources and have higher performance capabilities. For C and C ++, the developer is responsible for managing the memory life. Unfortunately, it is easy to make mistakes when doing so, Especially in complex and multithreaded codebases. ” in blog post.
“Using a combination of compiled time checks to implement object lifetime / ownership and runtime checks guarantees rust memory security, to ensure that memory accesses are valid. Equivalent performance of C and C ++ Providing that security has been achieved. “
As it currently stands in Android, if a process written in C / C ++ is processing untrusted input, it runs in the sandbox, which Google has said is expensive and is still used by attackers. Together, security offers the possibility of exploiting vulnerabilities.
Additionally, Google found that half of its memory was in code under one year, and so it made sense to target Rust to new code rather than rewrite the OS in Rust.
“Even though we redirected the efforts of every software engineer on the Android team, it is not possible to rewrite tens of millions of lines,” the team said.
“The comparative rarity of older memory bugs may be surprising to some, but we’ve found that older code is not where we need the most improvement. Software bugs are found and fixed over time, So we would expect a number of bugs. In the code that is being maintained but not actively developed to go down over time. “
One such system is to obtain Rust treatment. Gabaldersch, Which is billed as the successor to Bluetooth.
The Android team also touched on the issue of trying to detect memory bugs and fix them.
“For complex C / C ++ code bases, often only a handful of people are able to fix and review development, and even with the high effort spent fixing bugs, ever -Never fixes are wrong, ”he wrote.
“Bug detection is most effective when bugs are relatively rare and dangerous bugs can be given the priority and priority they deserve. Our ability to reap the benefits of improving bug detection requires that we Make it a priority to prevent the introduction of new bugs. “
One of the benefits of using Roost are additional constraints and forcing the introduction of variables contained in the language, such as checking which can prevent the root cause of up to 5% of security vulnerabilities in Android, Google said.
“Adding a new language to the Android platform is a big undertaking. There are toolchains and dependencies that need to be maintained, test infrastructure and tooling must be updated, and developers need to be trained,” the team said. said.
“For the past 18 months we have been adding Rust support for Android open source projects, and we have some initial projects that we will share in the coming months.”
Earlier this year, Rust moved out of Mozilla and into his own foundation. Mozilla has used Rust to build its servo browser engine and has replaced 160,000 lines of C ++ with 85,000 lines of R ++.
Recent mozilla Threadsunitizer run To flush any data run in C / C ++ left in the browser’s codebase across Firefox.
With a mixed codebase, Mozilla was concerned about the race being interrupted while undergoing Rust Code, but still picked up a pair of pure Rust races.
“Overall Roost seems to meet one of its core design goals: allowing us to write more concurrent code securely,” it said.
“WebRender and Stylo are both very large and widely multi-threaded, but have minimal threading issues. The issues we found were mistakes in low-level implementations and apparently insecure multithreading aberrations – and those mistakes. Were simple to fix.
“This is in contrast to many of our C ++ races, which often include things randomly accessed on various threads with ambiguous semantics, requiring non-trivial reflecting of code.”
Unexpectedly, Mozilla recommended making any new project in Rust instead of C or C ++.