Eliminating Memory Safety Vulnerabilities with Rust and AI

Los Angeles CA (SPX) Aug 02, 2024 - Memory safety vulnerabilities remain the most common type of disclosed software flaws, primarily affecting a computer's memory in two significant ways. Programming languages like C permit direct memory manipulation, often leading to accidental errors that can corrupt memory. Additionally, undefined behaviors in programming languages can cause unpredictable program behavior, as the language standard does not specify how the program should react under certain conditions.

After over two decades of dealing with memory safety issues in C and C++, the consensus among software engineers is clear: relying on bug-finding tools is insufficient. The Office of the National Cyber Director has emphasized the need for proactive measures to eliminate memory safety vulnerabilities and mitigate potential attacks.

While memory-safe programming languages are known to resolve these issues, rewriting extensive legacy code has been a daunting task. Developed in the 1970s, the C language is pervasive, powering everything from smartphones to space vehicles. The Department of Defense, in particular, relies heavily on long-standing systems built with C.

Recently, the rise of the Rust programming language and advancements in machine learning, including large language models (LLMs), have presented new opportunities for addressing these challenges. DARPA's Translating All C to Rust (TRACTOR) program aims to leverage these innovations to automate the translation of legacy C code to Rust significantly.

"You can go to any of the LLM websites, start chatting with one of the AI chatbots, and all you need to say is 'here's some C code, please translate it to safe idiomatic Rust code,' cut, paste, and something comes out, and it's often very good, but not always," said Dr. Dan Wallach, DARPA program manager for TRACTOR. "The research challenge is to dramatically improve the automated translation from C to Rust, particularly for program constructs with the most relevance."

The goal of TRACTOR is to produce Rust code that matches the quality and style of that created by skilled Rust developers, thereby eliminating memory safety vulnerabilities in C programs.

Wallach expects proposals incorporating innovative software analysis methods, such as static and dynamic analysis, combined with large language models. The program will host public competitions throughout its duration to evaluate the performance of these LLM-powered solutions.

"Rust forces the programmer to get things right," said Wallach. "It can feel constraining to deal with all the rules it forces, but when you acclimate to them, the rules give you freedom. They're like guardrails; once you realize they're there to protect you, you'll become free to focus on more important things."

DARPA will sponsor a Proposers Day on Aug. 26, 2024, available for in-person and virtual attendance. Participants must register by Aug. 19, 2024. More details and registration information can be found at SAM.Gov.

Research Report:The Case for Memory Safe Roadmaps