• Jl. Bukit Patas, Beng, Kec. Gianyar, Kabupaten Gianyar, Bali 80513
Call Us

Google’s Transition to Rust Programming Reduces Android Memory Vulnerabilities by 68%

Ava Garcia

October 28, 2024

Technology

Google says that since they started shifting to memory-safe languages like Rust as part of their secure-by-design strategy, the percentage of memory-safe vulnerabilities in Android has gone down by 52%. Over the last 6 years, it’s gone from 76% to 24%.

They point out that prioritizing Safe Coding for new features not only reduces overall security risk in the codebase but also makes the transition more scalable and cost-effective. This is Google’s way of saying they want to make their platforms more secure while keeping the development process efficient and sustainable.

Google’s Rust Transition: 52% Fewer Memory Safety Vulnerabilities

Google has been making waves with its shift to memory-safe languages like Rust as part of its secure-by-design strategy. And it’s working. Memory safety vulnerabilities in the Android operating system have gone down by 52%.

Big Drop in Vulnerabilities

According to Google, the percentage of memory-safe vulnerabilities in Android has gone from 76% to 24% over the last 6 years. That’s what happens when you prioritize Safe Coding for new features. By using memory-safe languages, Google is reducing security risks and overall codebase integrity.

The Vulnerability Paradox

Interestingly, the number of memory safety vulnerabilities goes down even when you add more memory-unsafe code. This is the vulnerability paradox. This is explained by the phenomenon of vulnerability decay, which occurs when a high concentration of vulnerabilities is found in new or recently modified code.

Jeff Vander Stoep and Alex Rebert from Google said, “The problem is so bad with new code that we need to change how we write code.” They point out that as code matures, it becomes safer over time, and you get diminishing returns on rewrites as the code ages.

Memory-Safe Languages

Google started shifting new developments to memory-safe languages around 2019 and formally announced support for Rust in Android in April 2021. By being proactive, Google is staying ahead of security threats and creating a culture of safe coding practices among its developers.

Numbers

The results are in the numbers. Memory safety vulnerabilities in Android have gone down dramatically from 223 in 2019 to less than 50 in 2024. That’s not just because of memory-safe languages but also because of continuous improvement in software development practices.

Google’s Memory Safety Journey: Reducing Vulnerabilities Proactively

Google’s focus on memory safety in its software development practices has led to significant improvements in reducing vulnerabilities. This journey involves not just new languages like Rust but also a fundamental change in how we approach security in software development.

Progress in Vulnerability Reduction

A big chunk of the reduction in memory safety flaws can be attributed to the progress in combating these issues. Google has moved from reactive patching to a more proactive approach, where vulnerability discovery is the focus. Tools like Clang sanitizers are now used to find vulnerabilities before they can be exploited so developers can fix issues early in the development process.

I like this approach. It’s a broader trend in the tech industry to prioritize security from the start rather than as an afterthought. This approach not only makes the software more secure but also creates a culture of responsibility among developers.

Evolving Memory Safety

Google says memory safety strategies need to evolve and prioritize “high-assurance prevention.” This means incorporating secure-by-design principles that embed security into the very foundations of the code. Jeff Vander Stoep and Alex Rebert said, “Instead of focusing on the interventions applied (mitigations, fuzzing) or trying to use past performance to predict future security, Safe Coding allows us to make strong assertions about the code’s properties and what can or cannot happen based on those properties.” I like this perspective because it’s about understanding the underlying properties of the code rather than just applying band-aids. This foundational approach leads to more robust and resilient software systems.

Interoperability Over Rewrites

In addition to memory-safe languages, Google is focusing on interoperability between Rust, C++, and Kotlin. This is seen as a “practical and incremental” way to adopt memory-safe languages without the need for full code rewrites. By making it seamless to integrate these languages, Google is eliminating entire classes of vulnerabilities while preserving the functionality of existing systems.

From my experience, this makes a lot of sense. Many organizations have legacy code, and the idea of rewriting entire codebases can be scary and resource-intensive. By promoting interoperability, Google is giving developers a more manageable way to improve security without sacrificing productivity.

Vulnerability Decay

Google’s approach shows a new way of managing vulnerabilities. “Adopting Safe Coding in new code is a paradigm shift. We can leverage the natural decay of vulnerabilities to our advantage even in large existing systems,” they said. This is simple: by stopping the introduction of new vulnerabilities, existing vulnerabilities decay exponentially, and we have safer code overall.

I like this approach because it’s long-term thinking. While immediate fixes are important, we should also focus on creating a sustainable and secure coding environment.

Security and Scalability

This approach not only makes security design more effective but also solves the scalability problems of traditional memory safety approaches. By applying these strategies more targeted, Google can keep its software secure as it grows.

In my opinion, this is key to the future of software development. As applications become more complex, we’ll need to maintain security without overwhelming developers with constant rewrites or patches.

Google Collaborates with Arms to Improve Android Security

Google has announced more collaboration with Arm’s product security and GPU engineering teams. This will help identify multiple issues and improve the security of the GPU software and firmware stack across the Android ecosystem.

Memory Issues

As part of this collaboration, Google found two memory issues in Pixel’s custom driver code, CVE-2023-48409, and CVE-2023-48421. Another issue with Arm Valhall GPU firmware and 5th Gen GPU architecture firmware, CVE-2024-0153.

This shows the importance of proactive security in the Android platform. I like how Google is taking a proactive approach to fixing these vulnerabilities. It’s a commitment to user data and overall device security. Finding these vulnerabilities is especially important as we rely more and more on our mobile devices for sensitive tasks like online banking and personal communications.

Proactive Testing

Google and Arm said, “Proactive testing is good hygiene as it can lead to finding and fixing new vulnerabilities before they’re exploited.” I like this, as it’s in line with the broader trend in the industry to prioritize security from the start rather than just reacting to problems.

In my opinion, this is key in today’s fast-paced digital world, where new vulnerabilities can pop up at any time. By finding and fixing issues early in the development process, companies can reduce the risk of exploitation and user trust. Proactive testing not only finds vulnerabilities but also creates a security-aware culture among developers to prioritize secure coding throughout the development lifecycle.

Android Ecosystem

The Google and Arm collaboration is especially important as Android devices are used by billions of people globally. With billions of active devices, securing the Android ecosystem is critical. This partnership will create a more robust security framework that can adapt to emerging threats and vulnerabilities.

As mobile devices become increasingly integrated into our daily lives, the impact of security breaches grows. From personal data theft to unauthorized access to sensitive information, the consequences of vulnerabilities are severe. Google and Arm are taking proactive steps to mitigate these risks to users.

Future

Going forward, this could be a model for how tech companies approach security. As the cybersecurity landscape evolves, partnerships like this may become more common and highlight the need for shared responsibility in user data protection.

GPU security is especially important as GPUs are the heart of modern computing, from mobile gaming to AI applications. Securing the GPU software and firmware is key to the overall device’s security.

At OverviewTrip, our mission is to inspire every traveler’s spirit of exploration. Through our blog, you will find travel inspiration, practical advice, and real stories to help you plan your next adventure.

Quick Links

Contact Us

[email protected]

Jl. Bukit Patas, Beng, Kec. Gianyar, Kabupaten Gianyar, Bali 80513

News letter

Thank you for your support and trust. Let’s explore the beauty of the world together!

Copyright © 2021. All rights reserved.