The programming language that wants to rescue the world from dangerous code - Protocol — The people, power and politics of tech
enterpriseprotocol | enterpriseTom KrazitNoneAre you keeping up with the latest cloud developments? Get Tom Krazit and Joe Williams' newsletter every Monday and Thursday.d3d5b92349
×

Get access to Protocol

Will be used in accordance with our Privacy Policy

I’m already a subscriber
Power

The programming language that wants to rescue the world from dangerous code

Rust, a language developed by Mozilla with enthusiastic backers across the software community, wants to save developers from making their biggest mistakes

One of the Rust logos

Rust is increasingly gaining momentum, as a new generation of companies start to rewrite their critical infrastructure for the cloud computing era.

Image: Mozilla/Protocol

The world's best software developers have a not-so-well-kept secret: Most of the crucial back-end systems that power the world rest on a precarious foundation of software held together with the digital equivalent of popsicle sticks and chewing gum. But they're also excited about an emerging programming language that promises something better.

For the fourth consecutive year, Rust topped Stack Overflow's 2020 survey of the "most loved" programming languages in software development, and there are some easy-to-understand reasons why. Rust was designed to prevent developers from making memory-handling mistakes that can lead to damaging (and prevalent) security flaws, and it also helps those developers figure out why their software isn't working.

That's why the language is increasingly gaining momentum, as a new generation of companies start to rewrite their critical infrastructure for the cloud computing era. AWS used Rust to build Firecracker, an open-source serverless computing platform that runs the company's strategically important Lambda and Fargate services. Dropbox rewrote some of its core systems software in Rust as part of the process of rolling out its own hardware infrastructure. And at Mozilla, where Rust was originally developed, the language was used to build the core browsing engine at the heart of Firefox.

Those companies are all hoping to avoid the security mistakes of the past. Rust may have its own issues — it's particularly difficult to learn, for instance — but it's "the industry's best chance for addressing this issue head-on," said Ryan Levick, principal cloud developer advocate at Microsoft, in a recent talk.

Lessons from the past

Over the last few decades, a huge percentage of the low-level systems software that controls the world's computers has been written in a language called C++, which was first released in 1985 and became a big part of Microsoft's product strategy. C++ is a powerful and efficient language that introduced the object-oriented programming concepts, now present in so many languages, to the seminal C language. But it has one glaring drawback.

It is very, very easy for programmers using C++ to make memory-handling mistakes. And according to Levick, over the last 15 years or so, around 70% of the security vulnerabilities in Microsoft products that required a CVE disclosure were memory-related.

Those mistakes allow malicious attackers to flood memory registers with data, creating a "buffer overflow" security problem that can overwrite data in memory registers adjacent to one program, and allow attackers to run code without the user's knowledge or consent. "C++, at its core, is not a safe language," Levick said in his talk.

By design, Rust prevents developers from making those mistakes.

"For years and years, Microsoft has been trying to get its C++ developers to use best practices and write more secure code," said Nell Shamrell-Harrington, senior staff research engineer at Mozilla and one of the people working directly on the advancement of the language. "In Rust, that security is built into the code itself."

Rust also helps developers debug their code by providing hints and pointers when their software isn't working, rather than just throwing out a vague error message, Shamrell-Harrington said. In some cases it will pinpoint the exact line of code that needs fixing, she said, saving developers a ton of time and anxiety.

The downside? Rust has a steep learning curve. "I would not recommend anybody use it as their first language, and maybe their second," Shamrell-Harrington said. Newcomers to Rust find it fairly easy to learn the basics, she said, but struggle when trying to move into the intermediate stage.

The numbers bear that out: Only 3.2% of developers surveyed by Stack Overflow actually use Rust on a regular basis. Twice as many people are still using Assembly, a low-level machine language that dates back to the 1940s. In fact, one of Shamrell-Harrington's jobs is to help produce content for the developer community that will bridge the knowledge gap and make it a more widely used language.

The one of many?

Rust is by no means the only modern programming language that provides memory safety for its users. Longtime stalwart Java offers some memory-handling protections. And Swift, Apple's iOS-friendly application development language, also puts strict boundaries around memory handling.

But they're high-level languages, which trade efficiency to gain ease of use. In comparison, Rust was designed for writing the sorts of lower-level systems software that runs the internet, offering performance at the same level provided by C++ and well beyond the capabilities of languages such as Java and Swift.

Perhaps Rust's main rival is Go, developed at Google, which is also used for system-level development and emphasizes memory safety. It's currently used more widely than Rust and is also considered easier to learn — but has less cachet among developers according to Stack Overflow's survey and lacks some of Rust's features.

As more and more business activity flows through software delivered over the internet, secure software has never been more important. If the best way to prevent 70% of serious security vulnerabilities is to adopt a programming language that makes it impossible to introduce memory-related security flaws, expect to see a lot more Rust in the future.

Tom Krazit

Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET and paidContent, and served as executive editor of Gigaom and Structure.

Image: Protocol

This week on the Source Code podcast: Issie Lapowsky joins the show to talk about why researchers and social platforms want to work together, and why that's a lot more complicated than it sounds. Then, Joe Williams explains why the digital signature industry is so hot right now, and where it goes from here.

For more on the topics in this episode:

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

For corporate IT managers, there are many motivations to move dynamic workloads to the cloud. It provides an irresistible trifecta of flexibility, scalability, and costs savings for those managing varying workloads.

The past year of widespread shutdowns caused by COVID-19 have increased this demand. That's one reason the global cloud computing market size is expected to grow from $371.4 billion in 2020 to $832.1 billion by 2025, at a Compound Annual Growth Rate (CAGR) of 17.5%, according to Research and Markets.

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Power

Don't sacrifice security for performance when computing at the edge

Companies must look at security in tandem with networking.

Federal IT managers and security analysts need to weigh the risk and reward of each upgrade or improvement to minimize new risk, writes Jim Richberg.

Image: Florian Olivo/Unsplash

Jim Richberg is the Public Sector Field CISO at Fortinet.

As federal agencies increasingly push for improved performance and agility through their networks and devices, they must also consider the lack of visibility that comes with deploying cutting-edge technology. Centralized visibility and unified controls are sometimes being sacrificed in favor of performance and agility through smart devices collecting and processing data at the edge.

Keep Reading Show less
Protocol | Policy

Tech spent years fighting foreign terrorists. Then came the Capitol riot.

"Nobody's going to have a hearing if a platform takes down 1,000 ISIS accounts. But they might have a hearing if you take down 1,000 QAnon accounts."

Photo: Roberto Schmidt/Getty Images

On a Friday in August 2017 — years before a mob of armed and very-online extremists took over the U.S. Capitol — a young Black woman who worked at Facebook walked up to the microphone to ask Mark Zuckerberg a question during a weekly companywide question-and-answer session.

Zuckerberg had just finished speaking to the staff about the white supremacist violence in Charlottesville, Virginia, the weekend before — and what a difficult week it had been for the world. He was answering questions on a range of topics, but the employee wanted to know: Why had he waited so long to say something?

Keep Reading Show less
Issie Lapowsky
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
The New Enterprise

Nine companies that could define the future of enterprise software

From streamlining software development to changing the way companies communicate, here are the software trends headed to your offices in the coming years.

A bunch of enterprise software companies want companies to do things a little differently.

Image: Protocol

Software may have eaten the world, but the world has changed — and a new wave of enterprise software has an appetite.

Heading into 2021, the enterprise software industry has a wealth of opportunity before it, not least as a result of COVID-19. As companies raced to make better use of cloud computing, their needs shifted: They now need to build, deploy and monitor software in wholly new ways. At the same time, companies are also using digital systems more than ever — whether that's for customer engagement, internal communication, staff training or something else entirely. And on top of all that is the natural march of technological progress as technologies like AI and VR mature and finally become usable in the workplace (or 凯发k8官网下载手机版home office).

Keep Reading Show less
Hirsh Chitkara
Hirsh Chitkara (@ChitkaraHirsh) is a researcher at Protocol, based out of New York City. Before joining Protocol, he worked for Business Insider Intelligence, where he wrote about Big Tech, telecoms, workplace privacy, smart cities, and geopolitics. He also worked on the Strategy & Analytics team at the Cleveland Indians.
Latest Stories