In Rust we trust: Shoring up Apache, ISRG ditches C, turns to wunderkind lang for new TLS crypto module

Elder server httpd to be revitalized with Google-funded memory-safe add-on

At almost 26 years old, the Apache HTTP Server, known as httpd, has a memory problem: it is written in C, a language known among other things for its lack of memory safety.

C requires programmers to pretty much manage computer memory themselves, which they don't always do very well. And poor memory management can lead to memory leaks and blunders like buffer overflows, null pointer dereferencing, and use-after-free() issues. The recent Libgcrypt bug offers an example of how C code snafus can cause problems.

The httpd server has had memory safety bugs before, and because it's still widely used, accounting for about a third of the web servers, the Internet Security Research Group (ISRG) has decided to institute a repair program.

The San Francisco-based non-profit, which oversees Let's Encrypt, is backing an effort to revitalize the venerable server software with a fresh coat of Rust, much as it did for curl last year.


Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble


One of the primary virtues of the Rust programming language is that it can be used in a way that's memory safe, thereby preventing various potential errors from making their way into production code. Rust will block at build time any unintentionally unsafe operations, thanks to its concept of ownership among other things. For widely used C-based software like httpd, the next best thing is a rewrite of critical networking components.

"We currently live in a world where deploying a few million lines of C code on a network edge to handle requests is standard practice, despite all of the evidence we have that such behavior is unsafe," said executive director Josh Aas in a blog post seen ahead of publication by The Register. "Our industry needs to get to a place where deploying code that isn’t memory safe to handle network traffic is widely understood to be dangerous and irresponsible."

Toward that end, ISRG has arranged to have Google fund the creation of a new TLS module for ​httpd​ called ​mod_tls, to replace mod_ssl. The commissioned module will rely on the Rust TLS module instead of OpenSSL, which is written mostly in C. It won't immediately replace mod_ssl but the hope is that mod_tls will eventually become the default.

"Apache httpd is still a critically important piece of infrastructure, 26 years after its inception," said Brian Behlendorf, executive director of the open source Hyperledger project and co-creator of Apache, in a statement. "As an original co-developer, I feel a serious revamp like this has the potential to protect a lot of people and keep httpd relevant far into the future."

ISRG has enlisted ​Stefan Eissing​ of G​reenbytes​ to do the development work. Eissing​ shouldn't have to spend much time familiarizing himself with the httpd source given that he already commits code to the httpd project.

Asked why ISRG is fixing Apache's plumbing instead of leaving repairs to the Apache Foundation, Aas said, "We wanted to get this work done so we found a way to do it. We don't know if this kind of work is something the ASF does. While we did coordinate with Apache community members, we did not coordinate with the ASF itself."

Aas said there wasn't any specific Apache bug that motivated the initiative. "This work was motivated by a general risk profile," he said, adding, "We would love to see Nginx, and any other popular infrastructure software written in C or C++, undertake similar work." ®

Broader topics

Other stories you might like

  • SpaceX Starlink sat streaks now present in nearly fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining science, no

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading
  • Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

    Exploit, vulnerability discussion online can offer useful signals

    Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

    Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

    CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by, a US-based, non-profit computer security organization.

    Continue reading

Biting the hand that feeds IT © 1998–2022