Google has announced that it will allow third-party Rust libraries in its Chromium open-source browser project.
Chrome security team member Dana Jansens published a blog post on Thursday announcing the decision.
Jansens says that Google is now actively pursuing adding a production Rust toolchain to its build system.
“Our goal in bringing Rust into Chromium is to provide a simpler (no IPC) and safer (less complex C++ overall, no memory safety bugs in a sandbox either) way to satisfy the rule of two, in order to speed up development (less code to write, less design docs, less security review) and improve the security (increasing the number of lines of code without memory safety bugs, decreasing the bug density of code) of Chrome,” explains Jansens.
“We believe that we can use third-party Rust libraries to work toward this goal.”
Around 70 percent of the serious security bugs in Chromium are memory safety problems. When written correctly, Rust can be used to avoid memory safety issues.
“Rust guarantees temporal memory safety with static analysis that relies on two inputs: lifetimes (inferred or explicitly written) and exclusive mutability,” Jansens explained.
Third-party Rust libraries will only be allowed if there “is a business need”. Google says that includes where:
- The Rust implementation is the best (e.g., speed, memory, lack of bugs) or the only existing implementation available for the third-party library.
- The Rust implementation allows the operation to move to a higher privileged process, and this benefits the product by improving on guardrail metrics (e.g. through avoiding process startup, IPC overheads, or C++ memory-unsafety mitigations).
- The Rust implementation can meaningfully reduce our expected risk of (memory/crashes/undefined behaviour) bugs when compared to the existing third-party library and related C++ code required to use the library.
Google plans to introduce the Rust toolchain and allow libraries written in the language within the next year.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
