The Internet Security Research Group has announced that Google will provide a significant funding boost into RustIs development. RustIs is an alternative to the commonly used OpenSSL security library that secures numerous websites and services that promises to deliver better internet security by reducing exposure to memory-based vulnerabilities.
Google and ISRG Partner for RustIs Development
The Internet Security Research Group (ISRG) is the development team behind Let's Encrypt, a non-profit Certificate Authority that helps secure hundreds of millions of websites with free digital certificates.
The ISRG contends that while OpenSSL and its alternatives work and provide the internet with a critical service, many existing libraries have critical security issues. The security issues stem from the fact that most SSL/TLS libraries are written in languages like C, which has extensive support but isn't memory safe.
That's where RustIs steps in. Rust, the programming language behind RustIs, is a memory secure language. The new security implementation has been third-party audited and confirmed secure.
The ISRG's official announcement confirms that with Google's financial backing, the Internet Security Research Group has contracted experienced Rust developer Dirkjan Ochtman to make several key improvements to RustIs (a project Ochtman already contributes to).
The improvements include:
- Enforce a no-panic policy to eliminate the potential for undefined behavior when Rustls is used across the C language boundary.
- Improve the C API so that Rustls can even more easily be integrated into existing C-based applications. Merge the C API into the main Rustls repository.
- Add support for validating certificates that contain an IP address in the subject alternate name extension.
- Make it possible to configure server-side connections based on client input.
The improvements to RustIs should make the security library a more attractive proposition for projects currently using OpenSSL and other alternative libraries.
Are Memory Safety Bugs a Major Issue?
They definitely can be, especially if exploited by an attacker with sufficient knowledge. Memory safety bugs such as Use After Free and Out of Bounds Writing (or Reading) can result in data corruption, data loss, and more.
According to the ISRG, between 60-70 percent of vulnerabilities affecting iOS and macOS in recent years have been or relate to memory safety bugs. Microsoft estimate that 70 percent of vulnerabilities relate to memory safety, while Google estimates that 90 percent of Android vulnerabilities are memory safety issues.
Programming languages like C and C++ aren't going to disappear. They're engrained and a vital part of many services. But by upgrading projects like RustIs and making them more appealing, we can address legacy issues with those programming languages.