Microsoft is busy rewriting core Windows code in memory-safe Rust

Microsoft is rewriting core Windows libraries in the Rust programming language, and the more memory-safe code is already reaching developers.

David "dwizzle" Weston, director of OS security for Windows, announced the arrival of Rust in the operating system's kernel at BlueHat IL 2023 in Tel Aviv, Israel, last month.

"You will actually have Windows booting with Rust in the kernel in probably the next several weeks or months, which is really cool," he said. "The basic goal here was to convert some of these internal C++ data types into their Rust equivalents."

Microsoft showed interest in Rust several years ago as a way to catch and squash memory safety bugs before the code lands in the hands of users; these kinds of bugs were at the heart of about 70 percent of the CVE-listed security vulnerabilities patched by the Windows maker in its own products since 2006.

The Rust toolchain strives to prevent code from being built and shipped that is exploitable, which in an ideal world reduces opportunities for miscreants to attack weaknesses in software. Simply put, Rust is focused on memory safety and similar protections, which cuts down on the number of bad bugs in the resulting code.

Rivals like Google have already publicly declared their affinity for Rust.

Amid growing industry support for memory safe programming, Microsoft's exploration of Rust has become more enthusiastic. And last September, it became an informal mandate: Microsoft Azure CTO Mark Russinovich declared that new software projects should use Rust rather than C/C++.

The Rust renovation of Windows began in 2020 with DWriteCore, the Windows App SDK implementation of Windows' DWrite engine for text analysis, layout, and rendering. DWriteCore now consists of about 152,000 lines of Rust code and about 96,000 lines of C++ code.

Beyond the presumed safety improvement, performance is said to be 5 to 15 percent faster for Shaping (substituting) glyphs with OTLS (OpenType Library Services). That's all available to developers now.

• Rust Foundation so sorry for scaring the C out of you with trademark crackdown talk
• If you don't get open source's trademark culture, expect bad language
• Worried about the security of your code's dependencies? Try Google's Deps.dev
• Microsoft applies coat of Rust to Azure Sphere IoT platform

The Microsoft Windows graphics device interface (Win32 GDI) is being ported to Rust and so far has 36,000 lines of Rust code. The latest version of Windows 11 boots with the Rust version, which passes all GDI tests, but the Rust port is currently disabled behind a feature-flag.

"There's actually a SysCall in the Windows kernel now that is implemented in Rust," said Weston.

Microsoft's adoration of Rust does have limits. "Rewriting Windows in Rust probably isn't going to happen anytime soon," said Weston, "so while we love Rust, we need a strategy that also includes securing more of our native code."

But even qualified support from Microsoft is making Rust more capable through code contributions, and that benefits the entire open source community.

Armin Ronacher, an open source software developer, the chap behind Flask in Python, and current security engineer for Sentry, told The Register in an email that Microsoft's commitment to Rust is great for the language.

"In particular, because I expect Microsoft to reuse the existing compiler, I hope that a side effect of this will be better PDB [Program Database] support," he said. "Today on Windows, the developer tooling support is lagging behind what you get on DWARF-based [debugging with attributed record formats] platforms."

Samuel Colvin, founder of Pydantic and a developer using Python and Rust, told The Register: "I'm impressed by Microsoft being this forward thinking, but not very surprised. I'm sure they're under pressure from their engineers to adopt Rust. If you're building an application today that's either performance critical or low-level, then Rust is a no-brainer at that point."

Colvin said that while good Rust engineers may not be ubiquitous, he believes it's easier to find good Rust engineers than good C/C++ engineers.

"Although there are fewer people [with extensive Rust experience], there's a lot of engineers who are interested in trying to learn it," he said. "And the sheer difficulty of writing code which is safe, it's an order of magnitude easier in Rust."

"It's really exciting for those of us who rely on Rust that Microsoft is using it and so will hopefully support it," said Colvin. ®