A milestone in the software industry's move toward safer programming languages was reached last week with Google's announcement that it is extending the use of Rust into bare-metal Android environments.
Google has been moving native Android code from C++ to Rust, which the company says has resulted in fewer security vulnerabilities. Most of that code runs in Linux. This move is about extending Rust beyond the Linux kernel.
Andrew Walbran, a member of the Android Rust team, wrote in the Google Security Blog that many security-critical components of Android run in bare-metal environments — outside of Linux — and they are typically written in C. "As part of our efforts to harden firmware on Android devices, we are increasingly using Rust in these bare-metal environments, too."
To achieve this shift, Google has rewritten the Android Virtualization Framework’s protected virtual machine (pVM) firmware in Rust to provide a memory-safe foundation for the pVM root of trust. That firmware performs a function similar to a bootloader and was initially built on top of U-Boot, a widely used open-source bootloader, which Walbran said "was not designed with security in a hostile environment in mind."
"We fixed the specific issues we found in U-Boot, but by leveraging Rust we can avoid these sorts of memory-safety vulnerabilities in the future."
—Andrew Walbran
Google's use of Rust in bare-metal applications will make Android a safer platform and have a broader positive impact on the Rust community, industry experts noted. Here are three key takeaways from the move.
1. Fewer memory safety issues
The move to extend Rust's use has the potential to make Android applications that utilize the Android Virtualization Framework (AVF) more secure by hardening the root of trust for the protected VMs, said Michael Mehlberg, CEO of Dark Sky Technology.
Mehlberg compared the AVF to Intel's Secure Enclave, which lets the Android application ship a section of code that will run in a separate virtual machine, be "completely isolated from the host Android platform, and only interacting with the base Android system through a very narrow interface."
"Using Rust in the pVM firmware will reduce memory safety issues in that interface between the protected virtual machine and, ultimately, the Android application that kicked off the computation in the pVM."
—Michael Mehlberg
He noted that the reduction in memory safety issues in the pVM firmware comes from Rust enforcing bounds-checking, as well as providing a strict ownership of memory by default. It also requires programmers to opt in to unsafe behaviors through specific code constructs that can be targeted for more stringent inspection during review.
Shane Miller, a senior fellow at the Atlantic Council and a distinguished advisor to the Rust Foundation, said that transitioning to Rust makes Android applications more secure.
"Memory safety has a huge impact on security, so replacing unsafe code like C with memory-safe Rust substantially improves the security of Android applications. In every industry study, more than 50% of security vulnerabilities are attributable to a lack of memory safety in the code."
—Shane Miller
2. A smaller attack surface
Irena Bojanova, a computer scientist with the National Institute of Standards and Technology (NIST), said that by rewriting Android's pVM in Rust, Google is reducing the potential attack surface of the pVM's root of trust.
"A more secure pVM implies a stronger foundational security, which indirectly can make Android applications running on top of it safer."
—Irena Bojanova
However, Robert Schiela, technical manager of cybersecurity foundations at the Software Engineering Institute at Carnegie Mellon University, said the shift was limited by its reach. He noted that while Google's move has the potential to secure Android systems — and the applications running on them — it won’t necessarily do much to make the applications’ software packages individually more secure. But he also sees benefits in the development.
"It could prevent exploits that might enable an attacker to control the underlying system and possibly cross application or device boundaries they shouldn’t be able to. At least, it should reduce the chances of that happening even if it doesn’t prevent it."
—Robert Schiela
Joel Marcey, director of technology at the Rust Foundation, said the use of Rust in a bare-metal environment has a deep impact on securing Android itself.
"These bare-metal components, now written in Rust, are outside of a normal operating system, such as Linux, where actual user applications will run. Therefore, this change has the potential to further secure the Android environment itself, which is the first step in ensuring that everything running on top of Android can be secure as well."
—Joel Marcey
3. Benefits for the Rust ecosystem
Dark Sky's Mehlberg said Google's move will have a bigger net benefit, by boosting Rust's usage more broadly. As more companies use Rust in bare-metal contexts, the ecosystem of Rust libraries that target bare metal will grow, and the existing bare metal–capable libraries will be enhanced through bug-fixes and features, he said.
“Additionally, this will help drive the development of future Rust language features and patterns for working in bare-metal contexts."
—Michael Mehlberg
NIST's Bojanova said Google’s move is significant for the Rust programming language because “it demonstrates Rust's growing popularity and trust in the industry for security-critical applications.”
“Google's adoption of Rust for a critical component in Android virtualization will likely inspire other organizations to consider Rust for their projects, particularly when security is a top concern. This could lead to increased investment in Rust development, the creation of more libraries and tools, and a broader community of Rust developers.”
—Irena Bojanova
Josh Amishav, founder and CEO of Breachsense, said Google's move will have a clear impact on the Rust universe. "Google's endorsement of Rust for such a critical component will validate Rust's capabilities in a real-world, large-scale setting,” he said.
“This can serve as a case study and potentially motivate other organizations to consider Rust for similar use cases. As a result, the move will also lead to more developers getting interested in and contributing to the Rust ecosystem.”
—Josh Amishav
Rust's development: It takes a village
While this isn’t the first release of a Rust implementation on bare metal, the Google Android team's transparency about the limitations of Rust’s safety features will have a huge impact on the Rust community’s ability to understand and prioritize future improvements, the Rust Foundation's Miller noted.
“Google’s emphasis on collaborating with the Rust community to implement those improvements also makes the delivery of that work more achievable and improves the security of all Rust implementations. Google’s model for responsible use of open-source software has a huge impact on the Rust universe.”
—Shane Miller
