POC is one of the top conference in Asia and has been running since 2006, and today I’ve had the opportunity to give the opening keynote (Slides) for POC 2022 conference in Seoul, Korea where I discussed our favorite memory safe language: Rust - thanks again to the organizers for the invitation.
I chose to discuss Rust from a software engineering and application security point of view. The main points were:
- The current availability of high-performance memory safe languages like Rust, make it the best time in history of computer science to be (or become) a software engineer.
- Rust is a great language to learn if you are new to programming and are looking for pointers for your software engineering career. I always recommend to students who want to get into software engineering to start with Python to learn the basics of programming, and then to learn a more mature language such as Rust which can be used for production level coding.
- Rust is a great language if you are starting a new project from scratch, but if you are trying to migrate an existing code base written in C/C++ this may be more challenging to fully rewrite everything the larger your existing code base is.
- Rust allows you to focus on the logic of your code instead of wasting unnecessary time debugging (especially compared to C/C++), without sacrificing on performance.
- Memory safety bugs represent around around 70% of security bugs (as reported by MSRC), so having the opportunity to have safe code that compiles and works is amazing.
- There are two main avenues to make applications more secure:
- either you improve the compiler (which is the best solution for legacy code base that can’t be rewritten for various reasons)
- or you actually use a safer language (a memory safe language - which is the best solution for new code base)
- Although Microsoft has been doing a great job at promoting Rust, the lack of official WDK for kernel programming is problematic and we will probably see a lot of people writing Windows Rust user-mode applications just like they would write C/C++ user-mode applications due to lack of resources (There is definitely room for improvement that could be done on that side).
PS: Coincidentally today, the NSA also published a Guide on “How to Protect Against Software Memory Safety Issues”