Can Secure Software be Developed in Rust? On Vulnerabilities and Secure Coding Guidelines

Espinha Gasiba, Tiago; Amburi, Sathwik; Iosif, Andrei-Cristian

Home // International Journal On Advances in Security, volume 17, numbers 1 and 2, 2024 // View article

Can Secure Software be Developed in Rust? On Vulnerabilities and Secure Coding Guidelines

Authors:
Tiago Espinha Gasiba
Sathwik Amburi
Andrei-Cristian Iosif

Keywords: Cybersecurity; Software development; Industry; Software; Vulnerabilities; Rust Programming Language

Abstract:
Since the Rust programming language was accepted into the Linux Kernel, it has gained significant attention from the software developer community and the industry. Rust has been developed to address many traditional software problems, such as memory safety and concurrency. Consequently, software written in Rust is expected to have fewer vulnerabilities and be more secure. However, a systematic analysis of the security of software developed in Rust is still missing. The present work aims to close this gap by analyzing how Rust deals with typical software vulnerabilities. We compare Rust to C, C++, and Java, three widely used programming languages in the industry, regarding potential software vulnerabilities. We also highlight ten common security pitfalls in Rust programming that we think software developers and stakeholders alike should be wary of. Our results are based on a literature review and interviews with industrial cybersecurity experts. We conclude that, while Rust improves the status quo compared to the other programming languages, writing vulnerable software in Rust is still possible. Our research contributes to academia by enhancing the existing knowledge of software vulnerabilities. Furthermore, industrial practitioners can benefit from this study when evaluating the use of different programming languages in their projects.

Pages: 53 to 71

Publication date: June 30, 2024

Published in: journal

ISSN: 1942-2636