Google is already working on the migration of different Android components to Rust
For several months now, We have shared some of the news here on the blog highlights about the support and acceptance it has had Rust in the different projects and developments, of which many of them are heavyweights, say Linux, Windows and even Android.
Despite having great acceptance by the big guys, the change to Rust is not easy, since even to be accepted as a second programming language in the Linux Kernel, it had to go through quite a few things for Linus Torvalds to give it a try. approval.
In the case of Google, this has not been an exception and for several months now, Google has introduced Rust in many of its projects and Android is one of them and in which a fairly controlled migration stage has been carried out, since as part of its efforts to strengthen the security of the critical software components of the platform, now Google announced that it has completed the migration work of the firmware "Android Virtualization Framework's protected VM (pVM)" to Rust.
This firmware It is used to organize the operation of virtual machines launched by the pVM hypervisor from Android. Previously, firmware was written in C and implemented on top of the U-Boot bootloader, in whose code vulnerabilities caused by memory problems were previously found.
The hypervisor pVM takes control at an early stage of startup y provides complete isolation of virtual machine memory from the host environment, preventing access from the host system to protected virtual machines that process sensitive data. The pvmfm (Protected Virtual Machine Firmware) firmware takes control immediately after booting the virtual machine, verifies the generated environment and decides to abort the boot if integrity problems are detected or generates a boot certificate for the guest system if the chain of trust.
The rewriting of Rust makes it easier and safer to comply with Google's "rule of two" to keep Android system components safe. According to this rule, any added code must meet no more than two of three conditions: work with unvalidated input data, use an unsafe programming language (C/C++), and run with elevated privileges. This rule implies that code for processing external data must be reduced to least privileges (isolated) or written in a secure programming language. According to Google statistics, approximately 70% of all identified dangerous vulnerabilities in Android are due to errors when working with memory.
Among the difficulties that arise in the process of developing low-level components such as controllers in the Rust language, the need to work with pointers in unsafe mode is mentioned, since Rust is created with the use of memory allocated in the language in mind. Rust.
Among the disadvantages, It is also worth highlighting the need for improved syntax for accessing structure fields and array indexes through simple pointers without creating references, as well as limitations on creating safe links on unsafe operations that can cause undefined behavior and cannot be checked by the compiler.
It is worth mentioning that the new firmware rewritten in Rust included in Android 14 and universal libraries created during the firmware development process are packaged as packages and ported to the Rust community. The resulting code size compared to the previous version of the pVM firmware which occupied 220 kB, the new code occupies 460 kB, but new features added to the rewritten version, thanks to which it was possible to get rid of some other components used during boot.
As a result, the total size of all old and new trunk components turned out to be comparable. It should be noted that when size is more important than performance, results comparable to those of the C language can be achieved by enabling additional size optimization modes in the compiler, discarding unnecessary dependencies, and not using string formatters.
Finally if you are interested in knowing more about it, you can check the details in the following link