A new hope for more secure defense systems?Story
November 20, 2023
Rust is a new systems-programming language that eliminates dangerous memory bugs while providing high performance. It has the potential to transform safety-critical software development through its innovative ownership model guaranteeing memory safety. However, challenges – including building out an ecosystem for certified code – may hinder Rust’s adoption. Even so, Rust provides a promising solution for more secure, reliable code.
The clock is ticking: Military and aerospace programs are blowing past budgets and deadlines, with little signs of improvement. As recently as June 2023, more than half of the programs assessed by the U.S. Government Accountability Office (GAO) reported delays. As seen in the chart in Figure 1, the costs of these overruns are staggering, putting U.S. national security and technological leadership at risk.
Why is this happening? At the heart of this lies increasingly complex embedded systems that require seamless integration of hardware and software. As we enter a software-defined world, these challenges will only intensify, as a recent report from McKinsey outlines.
[Figure 1 ǀ Growth of software complexity in aerospace systems shown in thousand lines of source code. Graph courtesy McKinsey.]
Government and industry are responding with [the U.S. Department of Defense (DoD) modular open systems approach (MOSA) mandate] and open standards like FACE [Future Airborne Capability Environment] and SOSA [Sensor Open Systems Architecture] as well as modern development workflows such as virtual platforms and DevSecOps. Another solution may lie in a new systems programming language called Rust. Developed by open-standards community Mozilla, Rust delivers unprecedented reliability while maintaining high performance standards. It prevents entire classes of bugs by design and empowers programmers to write safer, cleaner code. Rust has the potential to transform development mission-critical embedded systems, but it faces a hard road toward adoption.
Making a case
Does the world really need a new programming language? There are already so many. Safety-critical systems require secure, reliable code. But current languages fall short, resulting in project delays and vulnerabilities. (Figure 2.)
[Figure 2 ǀ Major defense acquisition programs are taking longer to deliver capabilities. GAO graphic.]
Legacy languages like C and C++ are prone to memory errors, while newer managed languages like Java and Python sacrifice control for convenience. The result is exploitable systems that could endanger lives. Rust addresses these challenges by eliminating entire classes of flaws by design, balancing power and safety and thereby freeing engineers to write robust systems from the start.
In a language like C, the burden of managing memory rests with the programmer, who needs to define a pointer to allocate memory in order to use it, and the programmer needs to free the memory. Manually allocating and freeing memory is error-prone and can lead to serious bugs if not done correctly. For example, if the programmer forgets to free the memory, it essentially causes a memory leak, eventually leading the program to crash. In the hands of a competent programmer, C can be extremely powerful, enabling them to do things that are not possible in any other language. But guardrails like coding standards are needed, along with static-analysis tools and indeed a newer set of tools performing semantic analysis on the code.
On the other hand, an interpreted language like Python performs all the memory management. If a programmer allocates a pointer and subsequently forgets to free the memory associated with it, Python will automatically do it through garbage collection. To make things easier for the programmer, Python sacrifices flexibility, freedom, and power. Functions like garbage collection are extremely slow and nondeterministic and therefore unsuitable for a system with deterministic safety and/or security requirements.
This approach enables a simplified experience for a certain class of programmers, who don’t need to worry about memory or safety and can be fantastic for higher-level applications like web browsers or business applications; it’s also partly why this class of languages is so popular. These languages also offer a diverse set of libraries, which enable programmers the power to invoke anything. As an example, the set of string manipulation libraries makes tasks like search engine keyword manipulation easier in Python than they would be in any other language.
In the context of a safety-critical or security-critical application, however, all tools need to be certified. In the case of Python, the whole interpreter needs to be qualified in order to allow its use. Gauging from industry feedback, this is an impractical exercise.
The opportunity for Rust
This is an opportunity for Rust: Its constructs are some of the closest to C, but it eliminates some of the key problems that are seen with respect to pointer management and memory. Rust manages memory, but without using garbage collection. It is often mentioned in the same breath as “memory-safe languages,” which is certainly one of its main features; in fact, memory is one of the primary sources of bugs. The upshot: Rust is an opportunity to eliminate a whole class of vulnerabilities and is a massive step toward ensuring systems behave as they were intended.
The other primary element that makes Rust appealing is that its syntax is very similar to that of C. There are obviously some key differences, but it’s not the same as looking at a C program and comparing with Ada. That familiarity (Rust is like C) becomes a feature in a way, and is therefore a catalyst for C programmers to adopt Rust. It’s true that C programmers can be quite a cynical bunch, particularly toward languages that don’t give them the level of capability and freedom that they’re used to. Rust attempts to provide that level of programming freedom while eliminating common sources of challenges that would affect safety and security.
While Rust shows promise, there are challenges for the industry to address. A key part of adopting a programming language is to learn about its capabilities and – more importantly – to determine whether it’s a good fit for what it is the program is trying to accomplish. In avionics/military target markets, there is a need to know that once code has been written in Rust, it is safety-certifiable. From a safety ecosystem standpoint, it is fair to say this is at the embryonic stage. For example, while a standard has been drafted, there is no official coding standard yet and approval of one is still a ways away. Similarly, a MISRA standard for Rust is still being debated and discussed.
Rust also lacks a commercial tool for static analysis. Therefore, a company is going to use whatever comes from the open-source ecosystem to check syntax. This analysis can certainly be worked around as some of the open-source tools offer some capabilities. More challenging are aspects like code coverage; today, there is no tool we are aware of providing this for the Rust ecosystem. Anyone who needs to certify their Rust program today will not be able to accomplish this; there is no coverage mechanism to enable code coverage at the source level.
Rust also lacks a set of functionally safe libraries. Today’s offerings address more general-purpose use cases as opposed to functional safety. The military and avionics sectors are now seeing interest in Rust, including an increase in customer requests for proposals (RFPs) that call out a need to support Rust. There is significant activity in the automotive market as well, too, so it’s not unrealistic to say that end market demand there (in a substantially higher volume market than military and avionics) will create the business case for a safety ecosystem to coalesce around Rust.
What’s the best approach to using Rust? Let’s set out a threefold method:
- Helping customers create Rust programs and use them seamlessly with other software, including C libraries. This is important as the reality is that companies will not switch over to Rust immediately. There will be a long period of time with a hybrid set of development tools and packages. Initial engagements with Ferrous Systems on a Rust compiler for the Lynx RTOS and unikernel have shown this is quite straightforward.
- Converting certain programs to or writing new ones in Rust, where there is no block due to a lack of certification in place.
- Once a more robust ecosystem is in place, migration of a broader set of the company’s software to using Rust.
Rust offers immense potential to transform the development of safety-critical systems. Its innovative design eliminates entire classes of dangerous memory bugs that plague other languages, which enables building secure software that protects human lives and critical infrastructure.
Realizing Rust’s promise, however, relies on cultivating a robust ecosystem for certified code. Industry collaboration is needed to create rigorous coding standards, validated static analyzers, and the coverage tools expected in high-assurance environments.
One thing is clear – the stakes could not be higher. As software complexity explodes, the world needs provably secure languages like Rust more than ever. The time is now to solve the challenges holding Rust back from wider adoption. With focus and commitment from the open-source community, Rust can fulfill its potential to make military and aerospace systems fundamentally more robust.
Ian Ferguson is the vice president of marketing at Lynx Software Technologies and in that role is responsible for all aspects of the outward-facing presence of the company to its customer, partner, press, and analyst communities. Ian is also responsible for nurturing the Lynx partnership program to accelerate engagement in mission-critical systems. Ian spent nearly 11 years at Arm, where he held roles leading teams in vertical marketing, corporate marketing, and strategic alliances. Ian is a graduate of Loughborough University (U.K.), with a bachelor’s degree in electrical engineering.
Lynx Software Technologies • https://www.lynx.com/