<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

RL Blog


Rust on Android goes bare metal: 3 key security benefits

Extending the language's bare-metal use from Linux will make Android a trusted platform — and have a broader impact on the Rust development community.

John P. Mello Jr.
Blog Author

John P. Mello Jr., Freelance technology writer.


A milestone in the software industry's move toward safer programming languages was reached last week with Google's announcement that it is extending the use of Rust into bare-metal Android environments.

Google has been moving native Android code from C++ to Rust, which the company says has resulted in fewer security vulnerabilities. Most of that code runs in Linux. This move is about extending Rust beyond the Linux kernel.

Andrew Walbran, a member of the Android Rust team, wrote in the Google Security Blog that many security-critical components of Android run in bare-metal environments — outside of Linux — and they are typically written in C. "As part of our efforts to harden firmware on Android devices, we are increasingly using Rust in these bare-metal environments, too."

To achieve this shift, Google has rewritten the Android Virtualization Framework’s protected virtual machine (pVM) firmware in Rust to provide a memory-safe foundation for the pVM root of trust. That firmware performs a function similar to a bootloader and was initially built on top of U-Boot, a widely used open-source bootloader, which Walbran said "was not designed with security in a hostile environment in mind."

"We fixed the specific issues we found in U-Boot, but by leveraging Rust we can avoid these sorts of memory-safety vulnerabilities in the future."
Andrew Walbran

Google's use of Rust in bare-metal applications will make Android a safer platform and have a broader positive impact on the Rust community, industry experts noted. Here are three key takeaways from the move.

1. Fewer memory safety issues

The move to extend Rust's use has the potential to make Android applications that utilize the Android Virtualization Framework (AVF) more secure by hardening the root of trust for the protected VMs, said Michael Mehlberg, CEO of Dark Sky Technology.

Mehlberg compared the AVF to Intel's Secure Enclave, which lets the Android application ship a section of code that will run in a separate virtual machine, be "completely isolated from the host Android platform, and only interacting with the base Android system through a very narrow interface."

"Using Rust in the pVM firmware will reduce memory safety issues in that interface between the protected virtual machine and, ultimately, the Android application that kicked off the computation in the pVM."
Michael Mehlberg

He noted that the reduction in memory safety issues in the pVM firmware comes from Rust enforcing bounds-checking, as well as providing a strict ownership of memory by default. It also requires programmers to opt in to unsafe behaviors through specific code constructs that can be targeted for more stringent inspection during review.

Shane Miller, a senior fellow at the Atlantic Council and a distinguished advisor to the Rust Foundation, said that transitioning to Rust makes Android applications more secure. 

"Memory safety has a huge impact on security, so replacing unsafe code like C with memory-safe Rust substantially improves the security of Android applications. In every industry study, more than 50% of security vulnerabilities are attributable to a lack of memory safety in the code."
Shane Miller

2. A smaller attack surface

Irena Bojanova, a computer scientist with the National Institute of Standards and Technology (NIST), said that by rewriting Android's pVM in Rust, Google is reducing the potential attack surface of the pVM's root of trust.

"A more secure pVM implies a stronger foundational security, which indirectly can make Android applications running on top of it safer."
Irena Bojanova

However, Robert Schiela, technical manager of cybersecurity foundations at the Software Engineering Institute at Carnegie Mellon University, said the shift was limited by its reach. He noted that while Google's move has the potential to secure Android systems — and the applications running on them — it won’t necessarily do much to make the applications’ software packages individually more secure. But he also sees benefits in the development.

"It could prevent exploits that might enable an attacker to control the underlying system and possibly cross application or device boundaries they shouldn’t be able to. At least, it should reduce the chances of that happening even if it doesn’t prevent it."
Robert Schiela

Joel Marcey, director of technology at the Rust Foundation, said the use of Rust in a bare-metal environment has a deep impact on securing Android itself.

"These bare-metal components, now written in Rust, are outside of a normal operating system, such as Linux, where actual user applications will run. Therefore, this change has the potential to further secure the Android environment itself, which is the first step in ensuring that everything running on top of Android can be secure as well."
Joel Marcey

3. Benefits for the Rust ecosystem

Dark Sky's Mehlberg said Google's move will have a bigger net benefit, by boosting Rust's usage more broadly. As more companies use Rust in bare-metal contexts, the ecosystem of Rust libraries that target bare metal will grow, and the existing bare metal–capable libraries will be enhanced through bug-fixes and features, he said.

“Additionally, this will help drive the development of future Rust language features and patterns for working in bare-metal contexts."
—Michael Mehlberg

NIST's Bojanova said Google’s move is significant for the Rust programming language because “it demonstrates Rust's growing popularity and trust in the industry for security-critical applications.”

“Google's adoption of Rust for a critical component in Android virtualization will likely inspire other organizations to consider Rust for their projects, particularly when security is a top concern. This could lead to increased investment in Rust development, the creation of more libraries and tools, and a broader community of Rust developers.”
—Irena Bojanova

Josh Amishav, founder and CEO of Breachsense, said Google's move will have a clear impact on the Rust universe. "Google's endorsement of Rust for such a critical component will validate Rust's capabilities in a real-world, large-scale setting,” he said.

“This can serve as a case study and potentially motivate other organizations to consider Rust for similar use cases. As a result, the move will also lead to more developers getting interested in and contributing to the Rust ecosystem.”
—Josh Amishav

Rust's development: It takes a village

While this isn’t the first release of a Rust implementation on bare metal, the Google Android team's transparency about the limitations of Rust’s safety features will have a huge impact on the Rust community’s ability to understand and prioritize future improvements, the Rust Foundation's Miller noted.

“Google’s emphasis on collaborating with the Rust community to implement those improvements also makes the delivery of that work more achievable and improves the security of all Rust implementations. Google’s model for responsible use of open-source software has a huge impact on the Rust universe.”
—Shane Miller

Keep learning

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

    Special Reports

    Latest Blog Posts

    Is Cybersecurity Ready for the SolarWinds Prosecution? Is Cybersecurity Ready for the SolarWinds Prosecution?

    Conversations About Threat Hunting and Software Supply Chain Security

    Reproducible Builds: Graduate Your Software Supply Chain Security Reproducible Builds: Graduate Your Software Supply Chain Security

    Glassboard conversations with ReversingLabs Field CISO Matt Rose

    Software Package Deconstruction: Video Conferencing Software Software Package Deconstruction: Video Conferencing Software

    Analyzing Risks To Your Software Supply Chain