Rust can help make software secure – but it's no cure-all
Security is a process, not a product. Nor a language
Memory-safety flaws represent the majority of high-severity problems for Google and Microsoft, but they're not necessarily associated with the majority of vulnerabilities that actually get exploited.
So while coding with Rust can help reduce memory safety vulnerabilities, it won't fix everything.
Security biz Horizon3.ai has analyzed CISA's Known Exploited Vulnerabilities in 2023 and found, as chief attack engineer Zach Hanley put it, that "Rust won’t save us, but it will help us."
We feel this is something that can't be said enough right now; if it's already obvious to you, well done. Rust will stop you using data after it's been freed, or try its best to stop you, but it can't really prevent you introducing logic bugs or passing unfiltered user input to a command interpreter.
The most common vulnerabilities in 2023 had to do with insecure exposed functions, representing 48.8 percent of last year's crop. These include flaws like CVE-2023-33246 in Apache RocketMQ, in which the application "insecurely exposed an endpoint that calls Java's getRuntime().exec()
with an attacker-controlled variable."
Or CVE-2023-22515 in Atlassian Confluence, in which the application insecurely exposed an endpoint that allowed a server's configuration state to be modified.
Memory safety flaws tied for second place alongside web routing and path abuse – categories each representing 19.5 percent of 2023 vulnerabilities.
CVE-2023-34362, the Progress MOVEit Transfer vulnerability, is an example of path abuse. In this instance, the application tried to limit access locally but contained a header parsing but that exposed functions.
- Simon Willison interview: AI software still needs the human touch
- Thousands of Juniper Networks devices vulnerable to critical RCE bug
- Memory-safe languages so hot right now, agrees Lazarus Group as it slings DLang malware
- Dump C++ and in Rust you should trust, Five Eyes agencies urge
While memory safety vulnerabilities may not have been the largest source of problems last year, they tend to have a significant impact because they're often identified at the time they're first actively exploited, before patches have been prepared.
Horizon3.ai found that 75 percent of the memory safety bugs analyzed were exploited as zero-day flaws and that 25 percent of them were initially believed to have been spotted by security researchers who later discovered that others had already been exploiting them.
"When vulnerabilities are exploited as zero-days they typically have a much more widespread effect on the world given that patches often lag by weeks once they are discovered," wrote Hanley.
Hanley says that most of the vulnerabilities that are being exploited are simple to abuse. So while coding in Rust will help, more attention needs to be paid to the risks complex software presents.
That work is already underway, through initiatives to harden the software supply chain and related projects.
Amid the rush to Rust – which has Microsoft recruiting developers to rewrite C# code in Rust and Google donating to improve Rust tooling – it's easy to forget that security is a process, rather than a product. Or a language. ®