Microsoft has expanded on its experimentation with Mozilla’s Rust programming language, which the company is developing. Redmond explains the goal of Rust development is to make Windows coding more secure, under the codename Project Verona.
The company has previously discussed the potential security benefits of Rust but not expanded on the details. Earlier this year, Microsoft signaled its interest in the language as an alternative to C and C++ for Windows developers.
While C and C++ remain very popular, they are aging languages. Rust is a modern programming tool that is considered “memory-safe languages”. That’s because it is specifically designed to protect against vulnerabilities in memory corruption.
Microsoft has said it is exploring the idea of re-writing its products in Rust. The company’s interest in the security-focused language to combat a consistent problem. Specifically, the company points out over 70% of all patches it sent out over the last 10-years dealt with memory bugs. Rust was developed to deal with these problems.
Early experiments with Rust were successful, albeit with some features missing.
Matthew Parkinson, a Microsoft researcher from the Cambridge Computer Lab in the UK gave a talk last week explaining the company’s vision for dealing with memory issues. Specifically, the company is working with MemGC (Memory Garbage Collector) on Edge and Internet Explorer.
“We built a garbage collector (GC) for the DOM. That big bulge in use-after-free was basically people finding ways of exploiting memory management in the DOM engine in IE,” said Parkinson.
“And then [Microsoft] introduced MemGC, which is a conservative GC for the DOM. It was very targeted at this particular style of vulnerability and then basically eradicated that as an attack vector.”
Microsoft is rewriting some components in Rust in an effort to make coding more secure.
“If we want compartments, and to carve up the legacy bits of our code so [attackers’] exploit code can’t get out, what do we need in the language design that can help with that?”