Shulou(Shulou.com)11/24 Report--

CTOnews.com, October 10 (Xinhua) Google announced last year that it was migrating Android native code from C++ to Rust, and Google is now posting an article on its blog showing new progress in using the Rust language.

It is reported that Google is using the Rust language to rewrite key Android security components executed outside the Linux core, thereby further reducing security vulnerabilities.

▲ source Google security blog Google claimed that last year's survey showed that the number of security vulnerabilities in Android fell from 223 in 2019 to 85 in 2022. After analysis, Google believes that the reduction in memory vulnerabilities is mainly related to the increase in the proportion of Rust code.

CTOnews.com Note: the Rust language takes memory security into account, and when compiling, Rust can capture most memory security issues and avoid related vulnerabilities in production environments.

In Android 13, about 21% of the new native code has been developed in Rust. Officially, most of these components are in user-level system services (that is, running in Linux), but there are still many components that are still written in C++, and many of these security-critical components are running in a bare metal environment outside the Linux core. Google is now in order to enhance the security of Android devices. The proportion of using Rust in bare metal environment is gradually increasing.

Google claims that the relevant developers rewrote the protected virtual machine (pVM) firmware of the Android virtualization framework in Rust, providing a security basis for the pVM trust root.

▲ source Google Security blog it is reported that the role of pVM is similar to Bootloader, which is based on the open source project U-Boot, but U-Boot has some shortcomings in its design, and many researchers have found that U-Boot has security vulnerabilities such as integer underflow (Integer Underflow) and memory corruption, especially the VirtIO driver, which has many problems in terms of "boundary checking."

Google says it has fixed problems found in U-Boot and that by switching to Rust, it can avoid more similar memory security vulnerabilities in the future.

▲ source Google Security blog because Google wants to support the use of the Rust language in bare metal environments, it has also contributed a series of new projects, such as VirtIO drivers for pVM firmware, Google has fixed a series of bugs in the existing virtio-drivers and added new features.

Google also plans to release more Rust packages and support bare metal development on various platforms. Google mentioned that although there are many restrictions on the use of Rust on bare metal, Rust can provide higher security and productivity than C or C++ language, and Google will continue to expand the use of Rust in the future.

Referenc

Bare-metal Rust in Android

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.