Google is Allowing Rust for Third-Party Libraries in Chromium


Google is allowing Rust for third-party libraries in Chromium to improve safety and security.

Google is allowing Rust for Third-Party libraries in Chromium, which is its open-source browser which is to provide a simpler and safer way to speed up development and improve the security of chrome. The project uses third-party rust libraries, which is a significant endorsement of the programming language and its security characteristics.

Dana Jansens, a member of the Google security team, said in a blog post about actively pursuing adding a production Rust toolchain to its build system. Chromium would rely on Rust, a technology developed by Mozilla for use in writing a browser. Rust can work through tools like cxx, autocxx bindgen, cbindgen, diplomat, and crubit. The main benefit that the team aims for include the ability to use a simpler mechanism than IPC, less complexity at the language level, less code to write and review, and reducing the bug density of the code. Those should contribute to Chromium’s overall safety, security, and development velocity.

Rust is a community project and the product is a high-level, general-purpose programming language that enforces memory safety. Rust started in 2006 as a personal project by Mozilla Research employee Graydon Hoare as part of the development of the Servo browser engine. Rust is designed to be memory safe because poor memory management has been the root cause of way too many vulnerabilities.

The Chrome Security team has been investing time into researching how to approach using Rust alongside C++ code. But there are implications of moving to write Rust instead of C++. The team has landed on two outcomes for Chromium after research. Google supports interop in a single direction from C++ to Rust. Limiting interop to a single direction controls the shape of the dependency tree. Google is only supporting third-party libraries which are written as standalone components and they don’t hold implicit knowledge about the implementation of Chromium. “We will only support third-party libraries for now. Third-party libraries are written as standalone components, they don’t hold implicit knowledge about the implementation of Chromium. This means they have APIs that are simpler and focused on their single task. Or, put another way, they typically have a narrow interface, without complex pointer graphs and shared ownership”, says the Google team.

Rust guarantees temporal memory safety with static analysis that relies on two inputs: lifetimes and exclusive mutability. A Rust library is considered for integration where its implementation is based in terms of speed, memory, and bugs. It should allow moving the task to a higher privileged process to reduce the cost of IPC or C++ memory-safety mitigation; or, it should bring an advantage in terms of bug risks in comparison to alternatives. The Chromium team is limiting interop to only be allowed from C++ to Rust in an approach to the coexistence of Rust and C++ code. There is a possibility that safe Rust code land in intrinsically unsafe C++ code if a call from Rust to C++ were allowed, or the need for C++ developers to understand Rust rules to avoid violating them. These are some complexities inherent to allowing full interoperability. Without the addition of interop tooling support, passing pointers or references across language is risky as well as narrow interfaces between the languages is critical to make it feasible to write code correctly. Any cross-language interop between arbitrary code introduces difficulties where concepts in one language are not found in the other.

For Rust calling into C++, support for language features like templates or inheritance can be difficult for a binding generator to support. The Chromium Team decision aims to gain access to the wealth of crates provided by the Rust ecosystem without incurring big penalties. The challenge provides ways to make interop easier and more seamless but also to get access to a wider range of libraries from either language. For increasing the fidelity of interop between C++ and Rust, Google is investing in Crubit. For a security-focused open-source project, Chromium, Rust ecosystem is important. This ecosystem is growing with investment from the systems development industry like Google. Chrome relies on third-party code; therefore, third-party investors are important. This strategy is followed to establish norms and to maintain a level of API review through the third-party process, while the future of interop support pushes the boundaries of what is possible and reasonable to do between Rust and C++. Full interop is not ruled out for the future but it requires a significant investment in and evolution of interop tooling to ensure everything works smoothly.

The post Google is Allowing Rust for Third-Party Libraries in Chromium appeared first on Analytics Insight.



Source link