Rust has also arrived on Chromium
Google unveiled recently through a publication lThe inclusion of the Rust programming language among the languages allowed in the Chromium project code.
It is mentioned that for inclusion there are a series of requirements for third-party Rust libraries that request integration into the Chromium codebase, for example, the library must outperform its peers in speed, memory consumption, and stability, or be the only implementation of a given technology.
Rust libraries are also acceptable when the functionality can be executed in a privileged process, or when using the library reduces the risk of bugs compared to other libraries or C++ code. It has not yet been decided which libraries can be included in Chromium.
Decision was taken as part of an initiative to prevent memory errors from appearing in the Chrome codebase. According to statistics provided two years ago, 70% of critical and dangerous security issues in Chromium are due to memory errors.
The use of the Rust language, which focuses on safe memory management and provides automatic memory management, it will reduce the risk of vulnerabilities caused by issues such as accessing an area of memory after it has been freed and buffer overflow.
Safe memory handling is provided in Rust at compile time by reference checking, tracking object ownership and object lifetime (scope), as well as evaluating memory access for correctness during code execution. Rust also provides integer overflow protection, requires mandatory initialization of variable values before use, handles errors better in the standard library, enforces the concept of immutable references and variables by default, offers strong static typing for minimize logical errors.
Using Rust will make it easier and safer to apply the "rule of do" that Google uses to keep its code base safe.
According to this rule, any code you add must not meet more than two of the three conditions: work with unvalidated input, use an unsafe programming language (C/C++), and run with elevated privileges. It follows from this rule that code for handling external data must be reduced to least privileges (isolated) or written in a safe programming language.
In the case of Rust, which was originally developed with the browser in mind, integration with existing code can be done without the use of IPC and with less complexity to orchestrate memory error protection, which will speed up the development process ( requires writing less code and easier review) and reducing the number of security-related bugs.
To simplify the integration Rust code with existing C++ code and avoid the risks and limitations associated with integrating, currently it was decided to limit the one-way interaction: calling Rust from C++ (i.e. Rust code can only be called from C++ code) via API functions, but not mixed with C++ code), which will also keep the dependency tree under control.
The second limitation is only support for third-party libraries that come in the form of separate components that are not tied to Chromium and have a task-oriented API.
In addition to using Rust to block exploits of use-after-free memory vulnerabilities, starting with the release of Chrome 102, C++ code began using the MiraclePtr (raw_ptr) type instead. Ordinary which provides a pointer hook that performs additional checks to access freed memory areas and blocks if such accesses are found.
The impact of the new protection method on performance and memory consumption is estimated to be negligible.
Finally, it should be mentioned that no plans yet to rewrite existing code in Rust, but from now on third-party libraries written in Rust will be allowed to be integrated into the code base.
The build system has already added tools for compiling Rust code, running tests, and integrating Rust components with C++ code. Rust code is expected to appear as part of Chrome releases next year.
Source: https://security.googleblog.com