The cryptography library for Python made a decision some time ago that will have not inconsiderable consequences. Parts of the code handling ASN1 structures have been rewritten in Rust. With version 3.4 released a few days ago, this code ended up in an official release of the cryptography package.
There are a few arguments in favor of this step. ASN1 is a complex binary format that is widely used in cryptographic applications. Notoriously, parsers are written in C for such structures often lead to security problems. In the past, there were security gaps in the ASN1 code in all important TLS libraries.
It will be possible to use the cryptography package only with C code and without the new Rust developments for a while, but with the upcoming version 3.5, this possibility will also disappear.
On the Gentoo Linux developer list, the move led to the question of whether this change would have to end support for some CPU architectures in the future. Gentoo supports a variety of systems, including outdated and exotic processor architectures such as HPPA or Alpha. And for many of them, there is no Rust compiler yet.
In the discussion, it turned out that Gentoo’s package manager Portage can do without the Python cryptography package and that Gentoo systems can still be offered without the Rust compiler. But that may just be procrastination.
Discussions about the weaknesses and systemic security problems of C and C ++ have been around for a long time. Memory management errors such as buffer overflows and use-after-free bugs are among the most common security vulnerabilities, and they play a particularly important role in browser exploits. But even in system-related tools, such errors in memory management can lead to security gaps, as a recent bug in Sudo showed.
Although mechanisms such as memory randomization (ASLR) and stack cookies made attacks against such memory errors more difficult, they cannot be completely prevented. But for a long time, there was no real alternative to C and C ++, especially for low-level programming. No other programming language was able to establish itself to a greater extent. That has changed with Rust.
Rust is seen by many in the IT security community as a way to avoid fundamentally many classes of storage management security vulnerabilities. Although memory errors can occur in Rust in program parts specially marked as “unsafe,” Rust avoids most of the typical C errors by default. And a few lines of unsafe code are easier to search for errors than a large C or C ++ project.
It is foreseeable that more and more software projects will use all or part of Rust code in the future. And that doesn’t just apply to complex projects like the Firefox browser. More will follow, and even the Linux kernel developers are discussing whether Rust is an option.
In the foreseeable future, this will mean that it will soon no longer be practical to operate a Linux base system without Rust code.
For people who use processors without Rust support, these should be warning shots. Either the communities that want to support and operate Linux on the relevant systems develop a port of the Rust compiler for their systems — or the operation of a modern Linux system on the relevant CPUs will soon no longer be possible.
