"Rust Software Security: A Current State Assessment"
Rust is an increasingly popular programming language. Although its user base remains small, it is considered a good language. For seven consecutive years, according to the Stack Overflow Developer Survey 2022, Rust has been the most-loved programming language. Rust possesses a distinctive security model that guarantees memory safety and concurrent safety while delivering the performance of C and C++. Due to Rust being relatively new, it has not been exposed to the same level of examination as older languages, such as Java. Therefore, Joseph Sible and David Svoboda, researchers at the Carnegie Mellon University (CMU) Software Engineering Institute (SEI), have released a blog assessing Rust's security promises. Rust's security model consists of its ownership idea and type system. The Rust compiler's borrow checker enforces a significant portion of its security paradigm. The borrow checker ensures memory safety and the absence of data races in Rust code. Java also enforces memory safety, but does so by introducing performance-degrading runtime garbage collection and runtime checks. Theoretically, the borrow checker ensures that Rust imposes nearly no performance penalty with memory checks at runtime. This excludes checks done explicitly by the source code. Therefore, the performance of compiled Rust code appears comparable to that of C and C++ code, and faster than that of Java code. Memory safety is lacking in traditional programming languages such as C and C++. As a result, programming errors can cause memory corruption, which often leads to security vulnerabilities. OpenSSL's Heartbleed vulnerability would not have occurred if the code had been written in a memory-safe language. The most significant advantage of Rust is that it detects errors at compile time that might otherwise result in memory corruption and other undefined behaviors at runtime in C or C++, without losing efficiency or low-level control. This article continues to discuss findings from the assessment of Rust software security.
CMU reports "Rust Software Security: A Current State Assessment"