Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizens for the loose delivery of clues! CTOnews.com, Dec. 4 (Xinhua) Last year, Google made Rust the default code for new code in the Android Open Source Project (AOSP), a move that seems to be paying off, saying that memory security vulnerabilities in Android have been reduced by more than half.

Tu Yuan Pexels Google said that "in the past few years / version, the number of memory security vulnerabilities has dropped significantly." Specifically, the number of annual memory security vulnerabilities fell from 223 to 85 between 2019 and 2022. Memory security vulnerabilities now account for 35% of all Android vulnerabilities, up from 76% four years ago. In fact, "2022 is the first year in which memory security vulnerabilities do not account for most Android vulnerabilities."

Android 13 was the first Android version to add most of the new code in a memory-safe language, in which the Rust language accounted for 21% of all new native code, including the UWB stack, DNS-over-HTTP3, Keystore2, Android's virtualization framework (AVF), and "various other components and their open source dependencies."

CTOnews.com learned that in addition to Rust, Google's other memory security languages for Android include Java and Kotlin, which is compatible with Java. C and C++ are still mainstream languages in AOSP, but Android 13 is the first version where most of the new code comes from memory-safe languages.

Jeffrey Vander Stoep, an Android security software engineer, pointed out that the Android team plans to increase its use of Rust, although it has no plans to abandon C and C++ completely in system programming. "Rust doesn't solve all problems, and in some areas, C / C++ will continue to be the most practical development choice, at least for a while," he said in a tweet. "We will strive to reduce this situation over time, while continuing to expand our Rust use and continue to invest in and deploy improvements to C / C++," he added. "

Vander Stoep points out that correlation is not the same as causality, but the percentage of memory security vulnerabilities is closely related to the language used by the new code.

He went on to point out that there are 1.5 million lines of Rust code in Android 13, accounting for about 21% of all new code. So far, Google has not found any memory security vulnerabilities in Android's Rust code. "this shows that Rust is achieving its intended goal of preventing the most common vulnerabilities of Android," Vander Stoep said. "in many Android C / C++ components (such as media, Bluetooth, NFC, etc.), the historical vulnerability density is greater than 1 / kLOC (one vulnerability per thousand lines of code). Based on this historical vulnerability density, the use of Rust may have prevented hundreds of vulnerabilities."

Google sees getting rid of C / C++ as a challenge, but is pushing ahead with the project for Android. However, it does not use the Rust language on Chrome.

It is reported that Rust is a system programming language that focuses on security, especially concurrency security, and supports functional, imperative, generic and other programming paradigms. Rust is syntactically similar to C++, but the designers want to provide better memory security while ensuring performance.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.