New System Auto-Converts C To Memory-Safe Rust, But There's a Catch
- Reference: 0175822435
- News link: https://developers.slashdot.org/story/25/01/03/133213/new-system-auto-converts-c-to-memory-safe-rust-but-theres-a-catch
- Source link:
The technique, [2]detailed in a new paper , requires programmers to use a restricted version of C called "Mini-C" that excludes features like pointer arithmetic. The researchers successfully tested their conversion system on two major code libraries, including the 80,000-line HACL* cryptographic library. Parts of the converted code have already been integrated into Mozilla's NSS and OpenSSH security systems, according to the researchers. Memory safety errors account for 76% of Android vulnerabilities in 2019.
[1] https://www.theregister.com/2025/01/03/mini_c_microsoft_inria/
[2] https://arxiv.org/abs/2412.15042
Life (Score:2)
So you will be hamstrung either way, it's just now your choice how you are hamstrung.
Pointless (Score:3)
Restricted C missing "dangerous" things such as pointers is already a thing and has been for decades. Google MISRA-C which is used in the defense industry. Converting it to Rust will gain you nothing except reducing the number of devs who can work on it iand hence raise your costs.
Re: Pointless (Score:2)
"pointer" does not mean the same thing as "pointer arithmetic"
Re:Pointless (Score:4, Insightful)
[1]MISRA-C [wikipedia.org] was originally for the automotive industry.
The rules range from "of course" to "wtf were you thinking when you made this rule", but ten or so years ago when I was using IAR C which lets you individually enable each rule, I enabled a bunch of them that were about things I sensibly shouldn't be doing.
These days I'm mostly using gcc or clang, and I try to "-Wall -Werror -Wextra" whenever I can. "-Wextra" has a lot of static analysis checks, and some of the more recent checks can be annoying, especially when printf functions are involved. But if you don't build with at least "-Wall -Werror" all the time, then you're probably part of the problem.
[1] https://en.wikipedia.org/wiki/MISRA_C
So if your C code is already memory safe ... (Score:3)
... it can now automatically be converted to Rust.
So, why not just write Rust code to start with?
Re: (Score:3)
Having trained up an entire Rust dev team, let me just help you:
1. It's really hard to find anyone who's got actual dev experience. You can only hire so many juniors per year.
2. Writing code in Rust is really hard for many people who are perfectly fine programmers in C.
3. If they cannot write in C, they have zero chance of writing in Rust.
Re: (Score:3)
> So, why not just write Rust code to start with?
Because a lot of code is already in C and it is easier to rework the tricky parts than to redo the whole thing from scratch?
undergraduate work makes /. news (Score:3)
"Memory safety errors account for 76% of Android vulnerabilities in 2019."
Seems kinda surprising, but why quote a project from 2019? More importantly, how many "memory safety errors" were fixed in converting these "two major code libraries"?
And finally, who gives a shit about cherry picking a subset of C that does not use pointers? How many "memory safety errors" exist in C code that doesn't use pointers? Let's select safe code that maps directly to our target language and write a translator for that! Will be useful to no one!
Re: (Score:2)
"And finally, who gives a shit about cherry picking a subset of C that does not use pointers?"
I only read the abstract. Does the paper actually say it cannot convert code that uses pointers? I would be surprised if that were true. Are you confusing floating-point arithmetic with pointers?
Re: (Score:3)
It doesn't include pointer arithmetic. You can still use pointers for doing things like linked lists, pass-by-reference, etc. but you're limited in many ways.
Re: undergraduate work makes /. news (Score:3)
No, he's doing the same crap rust haters typically do: skimming over shit, not bothering to understand it, and then making laughably ill-informed statements about the language.
In this case, he's confusing pointer arithmetic with pointers. It's a pretty big distinction and pretty hard to fuck up, but he managed to do it anyways. He is the kind of developer who goes around talking about why you don't need memory safety because people like himself never make mistakes, only the other "bad" developers do, and th
Re: (Score:2)
The article and the summary say that the conversion will not work for code that uses pointer arithmetic . I'm sure that general pointers (such as pointers to arrays) are probably workable.
The gist of it, though, seems to be, "first write safe C code using a minimal subset of the language, then our program will convert it to Rust." So the program is currently of minimal use.
Android apps in C? (Score:2)
> "Memory safety errors account for 76% of Android vulnerabilities in 2019."
This statement seems out of place. Aren't the overwhelming majority of Android apps written in Java or Kotlin (which is based on Java)?
Or at least, wouldn't that have been the case 5 years ago (in 2019)?
So how's a C converter going to help with that?
Re: (Score:2)
They're probably talking about vulnerabilities in the Android OS itself and the native libraries it includes out-of-the-box.
Theoretically... (Score:1, Interesting)
Theoretically, if you can convert Mini-C directly to Rust, then the exact same safety guarantees could be applied to the Mini-C code by the compiler or a linter.
Re: (Score:3)
I suspect most mission-critical code that is at risk for memory leak vulnerabilities already fails to meet the requirements, and so this converter won't help. At least not in its current form. It's still neat though.
I understand the need for a more memory-safe low-level language. I understand that professional, veteran, highly-skilled developers have left many memory leaks behind in their code. The argument that "if you know what you are doing and you use good coding practices you can avoid these mistak
Re: (Score:2)
Needs a runtime too, bounds checking can't always be optimized away.
But with Rust you get at least some safe code you can interop with.