Google praises the switch to Rust due to the huge drop in memory vulnerabilities

When you purchase through links in our articles, Future and its distribution partners may earn a commission.

Google has recognized Rust, a memory-safe programming language, as a significant contributor to its ability to reduce vulnerabilities as part of its Secure Coding initiative.

Memory access vulnerabilities often occur in programming languages ​​that are not memory safe. In 2019, memory security issues accounted for 76% of all Android vulnerabilities.

In response, many developers and tech giants are moving toward using memory-safe languages ​​that help them create software and technology that are safe by design.

Vulnerabilities are rusting away

On its blog, Google simulated the transition to memory-safe languages ​​by gradually using memory-safe code in new projects and developments over a five-year period. The results showed that despite a gradual increase in the number of codes written in memory-hazardous languages, memory vulnerabilities have decreased significantly.

According to Google, this is because security vulnerabilities are decreasing exponentially. New code written in unsafe languages ​​often contains bugs and vulnerabilities, but as the code is reviewed and refreshed, the vulnerabilities are gradually fixed, making the code more secure over time. So the main source of vulnerabilities is new code, and by prioritizing the use of memory-safe programming languages ​​when starting new projects and development, the number of vulnerabilities decreases significantly.

As Google has transitioned to using memory-safe programming languages, there has been a significant decline in memory-related vulnerabilities – memory-safe vulnerabilities dropped to 24% in 2024 – a stark contrast to 2019 and well below the norm industry level of 70%.

However, using memory-safe languages ​​is not a silver bullet, and Google admits that “with hindsight, we have not yet achieved a truly scalable and sustainable solution that provides an acceptable level of risk.”

Strategies to address memory vulnerabilities began with reactive patching, in which software vendors prioritize memory vulnerabilities, leaving other issues to be exploited more quickly.

The second approach was proactive mitigation, where developers were encouraged to consider things like stack canaries and control flow integrity at the expense of execution speed, battery life, termination latency, and memory consumption. Developers have also been unable to keep up with attackers’ ability to exploit vulnerabilities in new and creative ways.

In third place was proactive vulnerability detection, which focused on detecting vulnerabilities through “fuzzing”, i.e. tracking vulnerabilities based on symptoms of insecure memory. However, as Google points out, these tools are inefficient and time-consuming for teams to use, and often fail to detect all vulnerabilities even after multiple passes.

Google’s fourth tactic, therefore, is to engage in high-assurance prevention and security-by-design development. By using programming languages ​​like Rust, developers know and understand the properties of the code they write and can infer security vulnerabilities based on these properties. This reduces costs for developers by reducing vulnerabilities from the outset, including vulnerabilities beyond memory security issues. This cumulative cost reduction also has the added benefit of increasing developer productivity.

“The concept is simple,” notes the Google blog, “when we turn off the flow of new vulnerabilities, it reduces it exponentially, making all our code more secure, increasing security design efficiency, and alleviating the scalability challenges of existing memory security strategies so they can be applied more effectively in targeted way.”

More with TechRadar Pro