SOUPS 2021 - Benefits and Drawbacks of Adopting a Secure Programming Language: Rust as a Case Study
Kelsey R. Fulton and Anna Chan, University of Maryland; Daniel Votipka, Tufts University; Michael Hicks and Michelle L. Mazurek, University of Maryland
Programming languages such as Rust and Go were developed to combat common and potentially devastating memory safety-related vulnerabilities. But adoption of new, more secure languages can be fraught and complex. To better understand the benefits and challenges of adopting Rust in particular, we conducted semi-structured interviews with professional, primarily senior software developers who have worked with Rust on their teams or tried to introduce it (n = 16), and we deployed a survey to the Rust development community (n = 178). We asked participants about their personal experiences using Rust, as well as experiences using Rust at their companies. We find a range of positive features, including good tooling and documentation, benefits for the development lifecycle, and improvement of overall secure coding skills, as well as drawbacks including a steep learning curve, limited library support, and concerns about the ability to hire additional Rust developers in the future. Our results have implications for promoting the adoption of Rust specifically and secure programming languages and tools more generally.
View the full SOUPS 2021 Program at https://www.usenix.org/conference/soups2021/technical-sessions
Hi, I'm Kelsey Fulton, and today I'm going to talk about our work exploring the benefits and drawbacks of adopting a secure programming language to start memory safety vulnerabilities remain a problem. As recently as May 2020, 70% of the vulnerabilities in Chrome were reported to be memory safety problems. In a similar vein, over the last 17 years, Microsoft reported that 70% of the vulnerabilities in their products were also memory safety problems. Overwhelmingly, these problems can be attributed to C and C Plus Plus. So in order to rectify this issue, we might consider either fixing or replacing these languages. A Mozilla attempts to do justice with their programming language. Rust essentially rush the tempos safety and performance meaning to be useful where C and C Plus Plus are hardest to replace. So with this in mind, we might be wondering one, what does the adoption of a secure programming language look like? And two, what benefits accrue after the adoption of a secure programming language? To explore this, we used Rough as a case study because of rough lack of garbage flexion, and we started by interviewing senior software developers who worked at a company that had either adopted or tried to adopt Rust. We then followed up with a survey to the broader Russ community to start. I'm going to talk about our results in regards to learning Rust. One drawback mentioned by participants was that Rust is hard to learn. One participant felt that Russ had a near vertical learning curve. Participants mentioned that Russ was more difficult to learn than other programming languages they already knew. However, Rust is not without support for learning the language. One benefit mentioned by participants was that it's easy to find solutions to problems when working in Rust, and they attribute this to good compiler error messages. As one participant said, the compiler is good at telling you what's wrong. Good official documentation, as well as the helpfulness of the rest community. One big benefit or use it has a positive impact on development. For example, Rust improves confidence and code correctness. Our participants felt that once they got their code to compile, they could be confident that it was correct and bug free. Rust also improves long term productivity because our participants knew they had spent less time chasing and hunting down bugs and vulnerabilities. And lastly, Russ improved safe development other languages because our participants felt that Rust adjusted the developer mindset. Specifically, Rush teaches new paradigms and secure mental models that then the developers take with them when they work in other languages. This is exemplified by one participant who mentioned that since learning Russ a few the unsafe things they've been doing in other languages. However, despite these positive impacts, employers still express concerns about adopting Rust. One concern mentioned by our participants that their employers had was the steep learning curve. Specifically because of a steep learning curve, developers spend a lot more time learning the language and a lot less time developing for functionality. Participants also said that their employers were concerned about a difficulty and hiring rest developers. For example, one participants company mentioned not wanting to keep a project in Rust because they were worried about having to hire new developers in the future. So with these concerns in mind, our participants to steal some advice for security advocates who want to get a secure language adopted at their company. The first piece of advice is to demonstrate the value of Rust, specifically showing that Rust offers a measurable improvement over the current language being used because of the high upfront cost of the language. It's important to show that paying that high upfront cost is worth it. Participants also advise that advocates be helpful and have a good support system, specifically being willing and able to help new developers as well as building an existed support system for new Rust developers. This is especially important because the language is difficult to use, and our participants mentioned that learning the language with the mentor made it much simpler. So with this in mind, we offer some takeaways, one being that documentation, community, and feedback matter a lot as these were all benefits mentioned by our participants. Another being that a steep learning curve can inhibit the adoption of a secure programming language, chiefly because companies have to pay up front and then benefit later, but they may not benefit at all. We may consider flattening the learning curve of the language by creating a version of Rust that allows developers to learn security concepts incrementally rather than all at once. And lastly, we could consider reducing the risk of investment for companies by creating a trained pipeline of rest developers or possibly building infrastructure for the language. I'd like to thank the NSF for sponsoring this work and with that, I'm happy to take any questions at the live Q amp.