"Google: After Using Rust, We Slashed Android Memory Safety Vulnerabilities"

Google appears to be reaping the benefits of its decision to use Rust for new code in Android in order to reduce memory-related flaws. Memory safety flaws in Android have been reduced by more than half, a significant achievement coinciding with Google's transition from C and C++ to the memory-safe programming language Rust. This is the first year that memory safety flaws have not been the most common type of security flaw, and it comes a year after Google made Rust the default language for new code in the Android Open Source Project (AOSP). Other memory-safe languages used by Google for Android include Java and the Java-compatible Kotlin. Although C and C++ remain dominant languages in AOSP, Android 13 is the first version in which most of the new code is written in memory-safe languages. Rust now accounts for approximately 21 percent of new code after Google adopted it for AOSP in April 2021. This year, the Linux kernel project designated Rust as the new official second language to C. Android 10 from 2019 had 223 memory safety bugs, while Android 13 has 85 known memory safety issues. Memory safety vulnerabilities have dropped from 76 percent to 35 percent of Android's total vulnerabilities during that time, according to Android security software engineer Jeffrey Vander Stoep. Google is seeing a decrease in critical and remotely exploitable flaws as memory safety vulnerabilities decline. The Android team intends to increase its use of Rust, but there are no plans to abandon C and C++ for system programming. Stoep does point out that correlation does not imply causation, but the percentage of memory safety security bugs, which dominate high severity bugs, closely matches the languages used for new code. According to Google, security tools such as fuzzing have also had a significant impact on memory safety bugs. This article continues to discuss the reduction of memory-related flaws after Google decided to use Rust for new code in Android.

ZDNet reports "Google: After Using Rust, We Slashed Android Memory Safety Vulnerabilities"

Submitted by Anonymous on