Rust In, C and C++ Out of Microsoft! For the Sake of Security

Rust In, C and C++ Out of Microsoft! For the Sake of Security
Published on

It's time to halt starting any new projects in C/C++ and use Rust, says Microsoft's Azure CTO

Mark Russinovich, Microsoft's Azure CTO, says that C and C++ should not be used for new projects. "It's time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. For the sake of security and reliability, the industry should declare those languages as deprecated," he said on Twitter, expressing a personal opinion rather than a new Microsoft policy.

Russinovich's remarks are notable because Microsoft's core products, such as Windows, Office, and SQL Server, are largely written in C and C++. So too is Linux, which also has widespread use on the Azure cloud platform. That said, it will soon be possible to write parts of the Linux kernel in Rust, judging by reports from the recent open source summit and an email from Linux creator to journalist Steven Vaughan-Nichols in which he said: "Unless something odd happens, it [Rust] will make it into 6.1."

Rust and C++ are two popular systems programming languages. For years, the focus of C++ has been on performance. Microsoft has been increasingly hearing calls from customers and security researchers that C++ should have stronger safety guarantees in the language. C++ often falls behind Rust when it comes to programming safety. Visual Studio 2019 version 16.7 contains four new rules in C++ Core Check to incorporate some safety features from Rust into C++.

This is not the first time Microsoft has championed Rust to improve software security. Three years ago the Microsoft Security Response Center (MSRC) stated "we think that Rust represents the best alternative to C and C++ currently available." The MSRC team also said that "roughly 70 percent of the security issues that the MSRC assigns a CVE to are memory safety issues. This means that if that software had been written in Rust, 70% of these security issues would most likely have been eliminated."

According to Microsoft, about 70% of the CVEs it has patched since 2006 are due to memory safety issues. Eliminating those bugs would dramatically improve software security while reducing the cost of vulnerability remediation.

Apple, Amazon, Google, Meta, and Microsoft, amongst many others, use Rust in some capability or manufacturing. Cloudflare lately gushed about Pingora, its new HTTP proxy constructed utilizing Rust, which has boosted efficiency and lower CPU and reminiscence utilization.

Rust appears much less susceptible to potential reminiscence corruption bugs and this makes software programs much less weak. Microsoft has been speaking about dumping C/C++ and exploring Rust at least since 2019 and has been growing its personal cloud-oriented reminiscence-protected programming language known as Undertaking Verona. So Russinovich's name to deprecate C/C++ shouldn't be without precedent.

Rust is not always memory-safe. Using the unsafe keyword, Rust developers can dereference raw points, call dangerous functions, write to mutable static variables, and more. This is necessary at times; but by isolating such code into specifically marked blocks, Rust improves on C or C++ in this respect.

Despite these prominent voices supporting Rust, the language trails well behind both C and C++ in usage surveys such as the Redmonk language rankings, which places C++ 7th, C 10th, and Rust in 19th.

Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp

                                                                                                       _____________                                             

Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.

Related Stories

No stories found.
logo
Analytics Insight
www.analyticsinsight.net