In July this year, Microsoft had announced its plans to experiment using the Rust programming language as an alternative to C, C++ to improve the security of its software.
Last month, the company revealed that their experiments with Rust over C and C++ were successful, albeit with some features missing.
Microsoft on Tuesday announced its research initiative, dubbed Project Verona, which involves creating a new Rust-based programming language to make Windows 10 more secure.
So, why is Microsoft doing this? According to Microsoft, the majority of the bugs discovered and patched these days are related to memory safety flaws hiding in old Windows code written in C or C++.
‘Memory safety’ is the term for coding frameworks that help protect memory space from various software bugs and security vulnerabilities. The Project Verona aims to make Windows 10 more secure by closing that attack vector.
Since 70% of security vulnerabilities usually occur in C and C ++, ‘memory safe’ Rust programming language will allow developers to code without having to worry about memory safety bugs, reports ZDNet.
Matthew Parkinson, a Microsoft researcher from the Cambridge Computer Lab in the UK, in a recent talk, focused on what the company is doing to address these memory issues. The company is working with MemGC (Memory Garbage Collector) for Internet Explorer (IE) and Edge.
“MemGC addressed vulnerabilities in the standard browser feature known as a Document Object Model (DOM), a representation of the data used by browsers to interpret web pages. Google’s elite Project Zero hackers were impressed with Microsoft’s MemGC after canvassing major browsers,” said Parkinson.
“We built a garbage collector (GC) for the DOM. That big bulge in use-after-free was basically people finding ways of exploiting memory management in the DOM engine in IE. And then [Microsoft] introduced MemGC, which is a conservative GC for the DOM. It was very targeted at this particular style of vulnerability and then basically eradicated that as an attack vector.”
To make coding more secure, Microsoft is rewriting some targeted components in Rust, as it is not possible to rewrite everything from scratch.
“If we want compartments, and to carve up the legacy bits of our code so [attackers’] exploit code can’t get out, what do we need in the language design that can help with that?”
Currently, the programming language that Microsoft is internally working on is referred to as “safe infrastructure programming”. The company has plans to make Project Verona open-source in the short term.