Microsoft has posted code on Github enabling developers to code Windows drivers in Rust, a key step towards memory-safe programming for the operating system.
Azure CTO Mark Russinovich posted the link on X with the comment: “working towards enabling Windows driver development in Rust.”
This work goes back many years. In July 2019 Microsoft Research posted about its desire to “eliminate an entire class of vulnerabilities before they ever happened,” making the case for memory-safe languages and stating that “one of the most promising newer systems programming languages that satisfy those requirements is the Rust programming language originally invented by Mozilla.”
The company admires Rust not only for its memory safety but also for data race safety – ensuring that there is “no unsynchronized access of a piece of memory from two or more threads.”
In 2022 Russinovich declared that “it’s time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. For the sake of security and reliability. the industry should declare those languages as deprecated.” GC or garbage-collected languages such as C# and Java are fine for business applications but not suitable for low-level system code.
Windows though is largely written in C and C++. “Most of the user mode code is now in C++ but most of the kernel code is still in C, for various technical and historical reasons” said long-time Microsoft software engineer Raymond Chen in 2018, and although Windows 11 has appeared since then, the operating system is not rewritten when new versions are developed. The Windows Driver Kit, used by hardware manufacturers to enable their devices to work in Windows, remains a C/C++ toolkit.
According to the release notes for the new Rust-based driver kit, the intention is to support both WDM (Windows Driver Model) and WDF (Windows Driver Framework) drivers. WDM drivers are lower level and closely tied to the operating system, whereas WDF drivers interact with the system via a framework library. The initial repository is focused on WDK.
The notes add that “this project is still in early stages of development and is not yet recommended for commercial use.” Microsoft is encouraging experimentation and feedback, and points developers towards the GitHub discussion forum in the repository for feedback.
One early issue is how to handle exceptions. “For the Windows Kernel (and the OS in general) structured exception handling is an integral part of developing for Windows and a real blockers to making Rust a reality for Windows Kernel development,” said a developer. Rust does not have exceptions preferring to report recoverable errors with a Result variable and to quit with a panic failure in the case of unrecoverable errors. Such panics are undesirable in kernel code as they causes a system crash. The developer, Johnny Shaw, quotes Linux Torvalds who said, in the context of the Linux kernel (where Rust is also being adopted) that “because kernel code is different from random user-space system tools. Running out of memory simply MUST NOT cause an abort. It needs to just result in an error return.” Torvalds regards the problem as a “fundamental issue”.
The early code in Microsoft’s new repository includes the comment:
// FIXME: Should this trigger Bugcheck via KeBugCheckEx?
The issue illustrates that introducing Rust to low-level Windows code is not just a matter of adding Rust-language bindings for WDK APIs. Nevertheless, the initial reactions are generally positive. Memory safety issues account for a high proportion of security and stability issues in Windows and moving towards Rust is a likely solution.