Mark Russinovich, Microsoft’s Azure CTO, says that C and C++ should not be used for new projects.
“It’s time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. For the sake of security and reliability, the industry should declare those languages as deprecated,” he said on Twitter, expressing a personal opinion rather than a fresh Microsoft policy.
Russinovich’s remarks are notable because Microsoft’s core products, such as Windows, Office and SQL Server, are largely written in C and C++. So too is Linux, which also has widespread use on the Azure cloud platform. That said, it will soon be possible to write parts of the Linux kernel in Rust, judging by reports from the recent open source summit and an email from Linux creator to journalist Steven Vaughan-Nichols in which he said: “Unless something odd happens, it [Rust] will make it into 6.1.”
This is not the first time Microsoft has championed Rust as a means of improving software security. Three years ago the Microsoft Security Response Center (MSRC) stated “we think that Rust represents the best alternative to C and C++ currently available.” The MSRC team also said that “roughly 70 percent of the security issues that the MSRC assigns a CVE to are memory safety issues. This means that if that software had been written in Rust, 70% of these security issues would most likely have been eliminated.”
Memory safety means ensuring that when the code in an application reads data from memory, that data is valid. There are several reasons why this can fail. Programming languages define variables which occupy a specific amount of memory space. If the memory allocated is too small for the variable, the code might read beyond its bounds, injecting random data into the application. Similarly, if the code tries to read the data in memory that has been freed, making it available for other data, the result is unpredictable and may cause a crash. Another issue is a multi-threaded application has more than one thread writing to the same area of memory without using locks that prevent corruption.
Rust is not always memory-safe. Using the unsafe keyword, Rust developers can dereference raw points, call unsafe functions, write to mutable static variables, and more. This is necessary at times; but by isolating such code into specific marked blocks, Rust improves on C or C++ in this respect.
Despite these prominent voices supporting Rust, the language trails well behind both C and C++ in usage surveys such as the Redmonk language rankings, which places C++ 7th, C 10th, and Rust in 19th. Why is Rust not more popular? Issues include shortage of Rust developers, immature tooling, and that learning the language is demanding, as well as interoperability with existing code.