Power

The programming language that wants to rescue the world from dangerous code

Rust, a language developed by Mozilla with enthusiastic backers across the software community, wants to save developers from making their biggest mistakes

One of the Rust logos

Rust is increasingly gaining momentum, as a new generation of companies start to rewrite their critical infrastructure for the cloud computing era.

Image: Mozilla/Protocol

The world's best software developers have a not-so-well-kept secret: Most of the crucial back-end systems that power the world rest on a precarious foundation of software held together with the digital equivalent of popsicle sticks and chewing gum. But they're also excited about an emerging programming language that promises something better.

For the fourth consecutive year, Rust topped Stack Overflow's 2020 survey of the "most loved" programming languages in software development, and there are some easy-to-understand reasons why. Rust was designed to prevent developers from making memory-handling mistakes that can lead to damaging (and prevalent) security flaws, and it also helps those developers figure out why their software isn't working.

That's why the language is increasingly gaining momentum, as a new generation of companies start to rewrite their critical infrastructure for the cloud computing era. AWS used Rust to build Firecracker, an open-source serverless computing platform that runs the company's strategically important Lambda and Fargate services. Dropbox rewrote some of its core systems software in Rust as part of the process of rolling out its own hardware infrastructure. And at Mozilla, where Rust was originally developed, the language was used to build the core browsing engine at the heart of Firefox.

Those companies are all hoping to avoid the security mistakes of the past. Rust may have its own issues — it's particularly difficult to learn, for instance — but it's "the industry's best chance for addressing this issue head-on," said Ryan Levick, principal cloud developer advocate at Microsoft, in a recent talk.

Lessons from the past

Over the last few decades, a huge percentage of the low-level systems software that controls the world's computers has been written in a language called C++, which was first released in 1985 and became a big part of Microsoft's product strategy. C++ is a powerful and efficient language that introduced the object-oriented programming concepts, now present in so many languages, to the seminal C language. But it has one glaring drawback.

It is very, very easy for programmers using C++ to make memory-handling mistakes. And according to Levick, over the last 15 years or so, around 70% of the security vulnerabilities in Microsoft products that required a CVE disclosure were memory-related.

Those mistakes allow malicious attackers to flood memory registers with data, creating a "buffer overflow" security problem that can overwrite data in memory registers adjacent to one program, and allow attackers to run code without the user's knowledge or consent. "C++, at its core, is not a safe language," Levick said in his talk.

By design, Rust prevents developers from making those mistakes.

"For years and years, Microsoft has been trying to get its C++ developers to use best practices and write more secure code," said Nell Shamrell-Harrington, senior staff research engineer at Mozilla and one of the people working directly on the advancement of the language. "In Rust, that security is built into the code itself."

Rust also helps developers debug their code by providing hints and pointers when their software isn't working, rather than just throwing out a vague error message, Shamrell-Harrington said. In some cases it will pinpoint the exact line of code that needs fixing, she said, saving developers a ton of time and anxiety.

The downside? Rust has a steep learning curve. "I would not recommend anybody use it as their first language, and maybe their second," Shamrell-Harrington said. Newcomers to Rust find it fairly easy to learn the basics, she said, but struggle when trying to move into the intermediate stage.

The numbers bear that out: Only 3.2% of developers surveyed by Stack Overflow actually use Rust on a regular basis. Twice as many people are still using Assembly, a low-level machine language that dates back to the 1940s. In fact, one of Shamrell-Harrington's jobs is to help produce content for the developer community that will bridge the knowledge gap and make it a more widely used language.

The one of many?

Rust is by no means the only modern programming language that provides memory safety for its users. Longtime stalwart Java offers some memory-handling protections. And Swift, Apple's iOS-friendly application development language, also puts strict boundaries around memory handling.

But they're high-level languages, which trade efficiency to gain ease of use. In comparison, Rust was designed for writing the sorts of lower-level systems software that runs the internet, offering performance at the same level provided by C++ and well beyond the capabilities of languages such as Java and Swift.

Perhaps Rust's main rival is Go, developed at Google, which is also used for system-level development and emphasizes memory safety. It's currently used more widely than Rust and is also considered easier to learn — but has less cachet among developers according to Stack Overflow's survey and lacks some of Rust's features.

As more and more business activity flows through software delivered over the internet, secure software has never been more important. If the best way to prevent 70% of serious security vulnerabilities is to adopt a programming language that makes it impossible to introduce memory-related security flaws, expect to see a lot more Rust in the future.

Workplace

The tools that make you pay for not getting stuff done

Some tools let you put your money on the line for productivity. Should you bite?

Commitment contracts are popular in a niche corner of the internet, and the tools have built up loyal followings of people who find the extra motivation effective.

Photoillustration: Anna Shvets/Pexels; Protocol

Danny Reeves, CEO and co-founder of Beeminder, is used to defending his product.

“When people first hear about it, they’re kind of appalled,” Reeves said. “Making money off of people’s failure is how they view it.”

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Sponsored Content

Foursquare data story: leveraging location data for site selection

We take a closer look at points of interest and foot traffic patterns to demonstrate how location data can be leveraged to inform better site selecti­on strategies.

Imagine: You’re the leader of a real estate team at a restaurant brand looking to open a new location in Manhattan. You have two options you’re evaluating: one site in SoHo, and another site in the Flatiron neighborhood. Which do you choose?

Keep Reading Show less

Elon Musk has bots on his mind.

Photo: Christian Marquardt/Getty Images

Elon Musk says he needs proof that less than 5% of Twitter's users are bots — or the deal isn't going ahead.

Keep Reading Show less
Jamie Condliffe

Jamie Condliffe ( @jme_c) is the executive editor at Protocol, based in London. Prior to joining Protocol in 2019, he worked on the business desk at The New York Times, where he edited the DealBook newsletter and wrote Bits, the weekly tech newsletter. He has previously worked at MIT Technology Review, Gizmodo, and New Scientist, and has held lectureships at the University of Oxford and Imperial College London. He also holds a doctorate in engineering from the University of Oxford.

Policy

Nobody will help Big Tech prevent online terrorism but itself

There’s no will in Congress or the C-suites of social media giants for a new approach, but smaller platforms would have room to step up — if they decided to.

Timothy Kujawski of Buffalo lights candles at a makeshift memorial as people gather at the scene of a mass shooting at Tops Friendly Market at Jefferson Avenue and Riley Street on Sunday, May 15, 2022 in Buffalo, NY. The fatal shooting of 10 people at a grocery store in a historically Black neighborhood of Buffalo by a young white gunman is being investigated as a hate crime and an act of racially motivated violent extremism, according to federal officials.

Photo: Kent Nishimura / Los Angeles Times via Getty Images

The shooting in Buffalo, New York, that killed 10 people over the weekend has put the spotlight back on social media companies. Some of the attack was livestreamed, beginning on Amazon-owned Twitch, and the alleged shooter appears to have written about how his racist motivations arose from misinformation on smaller or fringe sites including 4chan.

In response, policymakers are directing their anger at tech platforms, with New York Governor Kathy Hochul calling for the companies to be “more vigilant in monitoring” and for “a legal responsibility to ensure that such hate cannot populate these sites.”

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

We're answering all your questions about the crypto crash.

Photo: Chris Liverani/Unsplash

People started talking about another crypto winter in January, when falling prices had wiped out $1 trillion in value from November’s peak. Prices rallied back in March, restoring some of the losses. Then crypto fell hard again, with bitcoin down more than 60% from its all-time high and other cryptocurrencies harder hit. The market’s message was clear: Crypto winter was no longer coming. It’s here.

If you’ve got questions about the crypto crash, the Protocol Fintech team has answers.

Keep Reading Show less
Latest Stories
Bulletins