In the news, Google claimed last year that it was migrating Android native code from C++ to Rust, and now Google has published a blog post showing new developments in the current use of the Rust language.
Google is reportedly using the Rust language to rewrite security-critical components of Android that execute outside of the Linux kernel, thus further reducing security vulnerabilities.
▲ Source Google Security Blog
Google claimed that last year’s survey showed Android’s security vulnerabilities, from 223 in 2019 to 85 in 2022, after analyzing the situation, Google believes that the reduction of memory vulnerabilities is mainly related to the increase in the proportion of Rust code.
The Rust language takes memory security into account, and at compile time, Rust can capture most memory security issues and avoid related vulnerabilities in the production environment.
In Android 13, about 21% of the new native code has been developed in Rust. Officially, most of these components run in user-level system services (i.e., Linux), but there are still a lot of components written in C++, and many of these safety-critical components run in bare-metal environments outside of the Linux kernel. Google is gradually increasing the use of Rust in the bare-metal environment in order to strengthen the security of Android devices.
Google claims that developers have rewritten the Android Virtualization Framework’s protected virtual machine (pVM) firmware in Rust to provide a secure foundation for the pVM root of trust.
▲ Source Google Security Blog
The PVM is said to work like a bootloader and is built on top of the open-source project U-Boot, but U-Boot is flawed in its design, and a number of researchers have found security vulnerabilities such as Integer Underflow and memory corruption in U-Boot, especially in the VirtIO driver, in the form of “boundary checking”. “boundary checking”, which has many problems.
Google says that they have already fixed the problems found in U-Boot, and by switching to Rust, they can also avoid similar memory security vulnerabilities in the future.
▲ Source Google Security Blog
Google is also contributing a number of new projects to support the Rust language in bare metal environments, such as fixing a number of bugs in existing virtio drivers and adding new features to the VirtIO driver for pVM firmware.
Google also plans to release more Rust packages and support bare-metal program development on all platforms. Google mentioned that while there are many limitations to applying Rust to bare-metal applications, Rust offers greater security and productivity than the C or C++ languages, and Google will continue to expand its use of Rust in the future.
THIS IS A SPONSOR PROMOTION: >>>>>>>>>>>>>
Geekwills is an online shop that connects consumers with millions of products and brands around the world with the mission to empower them to live their best lives. Geekwills is committed to offering the most affordable quality products to enable consumers and sellers to fulfill their dreams in an inclusive environment.