Technology

70% Of All Software Hacks Will Be Gone If We Move To Rust

C and C++ is the root of all evil

DC
Published on Aug 19, 24 by:
Daniel Craciun
6 min read
70% Of All Software Hacks Will Be Gone If We Move To Rust
<source>
“Build a fireproof house, and you won’t need to put out any fires.”

We have far too many professionals available to mitigate cyber-security threats acting on an incident response basis.

The status quo is “build the software”, and “slap some security” on it as an afterthought; then deal with any issues as they arise.

This mentality is exactly why so many cyber security attacks happen in the first place, especially ones that are memory-related.

In fact, memory corruption makes up at least 70% of all vulnerabilities in major companies like Google and Microsoft, and this trend follows for a large number of monolith companies.

The solution to all this comes back to the quote I cited at the beginning:

“Build a fireproof house, and you won’t need to put out any fires.”

In other words, instead of using unsafe languages like C or C++ and patching zero-day exploits as they arise, switch to Rust and you won’t have any vulnerabilities to begin with.

Before we dive deeper into this article, I recommend you watch this video from Low Level Learning on Youtube, where he explains a document from the White House addressing the state of national cyber security and their recommendation of Rust:

So without further ado… Let’s dive right in!

C (and C++) is a Broken Language

Many people are eager to deny this, but C is a fundamentally broken language.

It was created in 1972 by Dennis Ritchie, which means it's been around for 52+ years.

And after 52 years, we are still being vexed by memory vulnerabilities, therefore C is not the right language for critical infrastructure.

And no, it's not just a "skill-issue", because if it was a "skill-issue" then you would think after 52+ years we would improve at C and write code that isn't easily exploitable.

This has been proven countless times in history, a very recent case being CVE-2024-38063, in which a bad actor with your IPv6 address could perform remote code execution on your Windows computer.

Remote code execution is usually attributed to memory vulnerabilities, in this case buffer overflow.

Now imagine Windows OS is programmed in Rust instead of C and C++.

Due to Rust's memory safety properties, it would be impossible to create buffer overflows and exploit such CVEs.

Prevention vs Mitigation

The idea of prevention vs mitigation is nothing new, and has been the subject of debate for many years.

As it stands, the digital ecosystem is in favor of a mitigation approach instead of a prevention approach, and while I believe this is bad for the long term, there are many reasons for this:

  1. Profit - It's much more profitable to hire cyber security mitigation experts instead of spending money building a strong secure foundation.
  2. Trust - Languages like C and C++ are more trustworthy, and they have a massive influence in most infrastructure today. As a result, even though Rust is more promising in terms of security, it's unlikely that it will be adopted overnight.
  3. Demand - Since most infrastructure is built using C and C++, there will always be an increasing demand for C and C++ developers. On the other hand, Rust is an emerging language, meaning the current demand for Rust developers is low in comparison to C and C++.

While mitigation is great for short-term profits and security, prevention strategies are much more important for long-term security of critical infrastructure.

This is why it's so important to adopt Rust over C languages as soon as possible, because like I said earlier, C is a broken language, and it has been like this for 52+ years.

Nothing has changed.

How Rust Solves Memory Vulnerabilities

If I could state the purpose of Rust over C in one sentence, here is how it would look:

Do not trust the programmer.

That's right, the problem with C is that it gives the programmer too many options to mess things up.

And since us humans aren't cyborgs, we make mistakes from time to time, regardless of our experience with C.

And as you know very well, the smallest mistakes in a C program can have horrible consequences, most of which are memory vulnerabilities.

Rust solves this by forcing you to write memory safe code. And it does so by enforcing the Rust-specifc concept of ownership and borrowing at compile time.

Explaining these concepts is out of the scope of this article, but if you are interested in the specifics of how Rust eliminates memory vulnerabilities, here's a cool video for you:

Conclusion

There is no doubt that Rust is the future of memory-safe low-level programming.

C and C++'s days are coming to an end, it's only a question of when this day will come.

In order to save the world from memory vulnerabilities, it's paramount to focus on prevention instead of mitigation, and I believe Rust is the perfect language for this job.

If you enjoyed this article, please make sure to Subscribe, Clap, Comment and Connect with me today! 🌐
Want to ship code like a hacker? Visit Next Inject today!