Military Embedded Systems

DARPA program aims to eliminate memory-safety vulnerabilities

News

August 01, 2024

Lisa Daigle

Assistant Managing Editor

Military Embedded Systems

DARPA program aims to eliminate memory-safety vulnerabilities
Graphic courtesy DARPA

ARLINGTON, Va. The U.S. Defense Advanced Research Projects Agency (DARPA) has initiated a new program that intends to automate the translation of the world’s highly vulnerable legacy C code to the inherently safer Rust programming language.

According to the DARPA announcement, after more than two decades of grappling with memory-safety issues in C and C++, the software-engineering community has reached a consensus that reliance on bug-finding tools is not enough; DARPA says that even the Office of the National Cyber Director has called for more proactive approaches to eliminate memory-safety vulnerabilities. 

The challenge, say DARPA officials, has been rewriting legacy code at scale that matches the vastness of the problem, as the C language was created in the 1970s and has become ubiquitous and has been used to develop applications that run everything from modern smartphones to space vehicles and beyond. The U.S. Department of Defense (DoD), DARPA notes, has long-lived systems that disproportionately depend on programming languages like C.

A recent cultural shift toward the programming language Rust and recent breakthroughs in machine-learning techniques, like large language models (LLMs), have created an environment that may lend itself to a new class of solutions.

DARPA’s Translating All C to Rust (TRACTOR) program wants to find such solutions by substantially automating the translation of the world’s legacy C code to Rust. 

Dr. Dan Wallach, DARPA program manager for TRACTOR, said of the C/Rust dilemma: “The research challenge is to dramatically improve the automated translation from C to Rust, particularly for program constructs with the most relevance." To that end, TRACTOR will try to emulate the same quality and style that a skilled Rust developer would produce, thereby eliminating the entire class of memory-safety security vulnerabilities in C programs.

The DARPA announcement says that Wallach anticipates proposals that include novel combinations of software analysis, such as static and dynamic analysis, and large language models; the TRACTOR program will host public competitions throughout the effort to test the capabilities of the LLM-powered solutions.

"Rust forces the programmer to get things right,” said Wallach. “It can feel constraining to deal with all the rules it forces, but when you acclimate to them, the rules give you freedom. They're like guardrails; once you realize they're there to protect you, you'll become free to focus on more important things."

DARPA will sponsor a Proposers Day on Aug. 26, 2024, which attendees can attend in person or virtually; participants must register by Aug. 19, 2024. Details and registration info are available at SAM.Gov.

 

Featured Companies

U.S. Defense Advanced Research Projects Agency (DARPA)

675 North Randolph Street
Arlington, VA 22203-2114