It's quite a thing when the White House through the Office of the National Cyber Director produces a 19 page technical report saying it's time to start writing memory-safe software. In it we read, "Experts have identified a few programming languages that both lack traits associated with memory safety and also have high proliferation across critical systems, such as C and C++.".
This isn't that big a surprise. In 2019, this report proposed the use of Rust for writing Linux Kernel Modules and the point that 49% of security vulnerabilities in Chrome, 72% in Firefox and 81% of zero day exploits all had memory unsafety in C/C++ as a root cause.
Unsurprisingly, Bjarne Stroustrup, the creator of C++, disagrees and has defended his creation. Even though the C++ committee is instigating improvements in memory safety, the damage has been done.
What makes a language memory-safe?
The White House report suggests that future development be done in memory-safe programming languages. Python, Java, C#, Go, Delphi/Object Pascal, Swift, Ruby, Rust, and Ada are cited as memory safe in a report by the NSA (PDF). The inclusion of Delphi might raise an eyebrow or two as it, like C++, it requires memory to be explicitly requested and freed. The other languages have different ways of managing memory including garbage collection.
Rust stands out as it makes memory management safe through a combination of ownership rules, reference types, and “smart” pointer types. All allocated values have an owner. When values are assigned, passed by parameter and in field initialization, the ownership is transferred. At compile time, the borrow checker, a part of the Rust compiler enforces exclusive writing by preventing mutable aliases from writing at the same time as other active references to the value.
Data can be stored on the stack or on the heap and the compiler can decide when memory is no longer needed and can be freed. This makes Rust very suitable for use in libraries by other programming languages as there's no garbage collection and it’s particularly useful in operating systems. Linus Torvalds, who famously kept C++ out of the Linux kernel, welcomed the use of Rust in the Linux Kernel from 6.1 on. You can keep track of how Rust’s use in Linux is progressing in the rust-for-linux website.
It's not just Linux either. Microsoft added Rust for Windows in 2023. These are crates (Rust packages) that simplify the use of any Windows API from Rust. Also, Microsoft started rewriting some of the Windows core libraries in Rust last year. As well as making code safer, it has the extra benefit of improving performance in one utility by 5-15%.
There are certain things that normal safe Rust can’t do.
Dereference a raw pointer
Call an unsafe function or method
Access or modify a mutable static variable
Implement an unsafe trait
Access fields of unions
For those, it needs to switch into Unsafe Rust, enabled by prefixing a block with the word unsafe. Unlike say unsafe C#, it doesn’t adopt a hands-off approach to safety; all the safety checks still apply. All it does it let you do any of the unsafe actions. Several of these are needed when developing operating systems.
As well as its technical excellence, Rust is high on the list of most desired languages and has been top of StackOverflow's developer most admired technology for eight years. On the reddit programming faq the Rust community is third on the Huge Communities list of programming languages just behind Java and C++, which confirms the level of interest shown in Rust.
One possible reason for the admiration is that Rust is possibly the only language than can replace C++ as a systems language. Python and JavaScript might be the most popular programming languages, but neither is suitable for developing database servers, operating systems, web browsers and similar software. Most of those technologies are currently written in C++.
Consider Adding Rust to your Toolbelt
If you're looking for a programming job right now, there are currently over 2,000 C++ jobs on Dice.com. Rust, on the other hand, has only 200. However, in the next five to seven years, expect that ratio to change. Many of the current Rust jobs ask for C++ skills as well, indicating that a desire to transition may be in progress. It is also worth noting that Rust jobs likely pay very well: $200,000 in at least one case.
While it isn't really feasible to rewrite large apps like Windows, Photoshop and MySQL (all written largely or entirely in C++), it's likely that alternatives will be written in Rust. Photoshop is over 5 million lines of code and manually translating it would take many, many years. But when someone produces a decent C++ to Rust translator, things will change.
If you are a C++ programmer, learning Rust is a great career move.