Governance & Risk Management
,
Next-Generation Technologies & Secure Development
,
Vulnerability Assessment & Penetration Testing (VA/PT)
Google Says Rust Language Initiative Eliminates Cross-Site Scripting, Other Flaws
Switching to a memory-safe language has reduced the number of vulnerabilities in Android systems by 75% in five years. Google said the change represents a “fundamental shift in how to approach security.”
See Also: Alleviating Compliance Pain Points in the Cloud Era
Google’s Android team began relying on the Rust programming language in 2019 under the company’s secure design program called Safe Coding.
In an update on Wednesday, Android security researchers said that since adopting the programming language memory safety, the number of vulnerabilities uncovered in Android devices has fallen from over 200 in 2019 to fewer than 50 by 2024.The percentage of vulnerabilities caused by memory safety issues in Android systems fell from 76% in 2019 to 24% in 2024 – well below the industry norm of 70%, the researchers said.
“We first reported this decline in 2022, and we continue to see the total number of memory safety vulnerabilities dropping,” Google said.
High-performance, system-level code written in C or C++ languages lacks memory safety, resulting in increased flaws in software ecosystems. Such vulnerabilities often affect how memory can be accessed, written, allocated or deallocated, but the good news is that as the code ages, it is less likely to be compromised by attackers. “The problem is overwhelmingly with new code,” Google said.
Moving forward, experts at Google and other organizations recommend using memory-safe languages such as Rust to address long-standing security issues such as buffer overruns and remote code execution vulnerabilities. To avoid rewriting existing unsafe code with memory-safe code, organizations should ensure interoperability among programming languages.
As part of the initiative, Google said it is trying to facilitate interoperability among Rust, C++ and Kotlin programming languages.
“The shift toward memory-safe languages represents more than just a change in technology, it is a fundamental shift in how to approach security,” the Google researchers said, adding that the transition has already been shown to eliminate cross-site scripting flaws.
In addition to tech companies, U.K. and U.S. government agencies have expressed concerns over memory-unsafe vulnerabilities because of cyberthreats to critical infrastructure. A recent U.S. Cybersecurity and Infrastructure Security Agency study found the majority of open-source projects are coded with memory-unsafe languages (see: CISA Report Finds Critical Open-Source Memory Safety Risks).
A February report from the Office of the National Cyber Director says mitigating memory safety flaws is a primary step toward building digital resilience.
Google and Arm are among a handful of industry players that are part of the U.S. and U.K. governments’ Capability Hardware Enhanced RISC Instructions program, or CHERI, which is designed to eliminate memory-unsafe flaws through specially designed hardware chips with limited kernel access and permissions (see: UK Official Touts CHERI for Memory-Safe Computing).