Published in Mobiles

Rust killing off memory safety issues in Android

by on02 December 2022

Some things are best left to rust quietly

Google has noticed that since it announced Android Open Source Project (AOSP) support for Rust, memory safety vulnerabilities have fallen.

Writing in its collective bog, Google said the "number of memory safety vulnerabilities have dropped considerably over the past few years/releases."

Memory safety vulnerabilities fell from 223 to 85 between 2019 and 2022. They are now 35 per cent of Android's total vulnerabilities versus 76 per cent four years ago.

"2022 is the first year where memory safety vulnerabilities do not represent most of Android's vulnerabilities," Google said.
That count is for "vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through our vulnerability rewards program (VRP) and vulnerabilities reported internally."

During that period, the amount of new memory-unsafe code entering Android has decreased: "Android 13 is the first Android release where a majority of new code added to the release is in a memory-safe language. "

Rust makes up 21 per cent of all new native code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other components and their open source dependencies."

Google considers it significant that there have been "zero memory safety vulnerabilities discovered in Android's Rust code" so far across Android 12 and 13.

Google's blog mentioned non-memory-safety vulnerabilities and its plans: "We're implementing userspace HALs in Rust. We're adding support for Rust in Trusted Applications. We've migrated VM firmware in the Android Virtualization Framework to Rust. With support for Rust landing in Linux 6.1 we're excited to bring memory-safety to the kernel, starting with kernel drivers.


Last modified on 02 December 2022
Rate this item
(3 votes)

Read more about: