April 29, 2022

Introducing Rust in security research

researchsecurityrust
Introducing Rust in security research
When iHub's Bernard van Gastel asked us to help them start with Rust, we were somewhat surprised by their bold step but absolutely happy to assist. In this article we'll describe how we went about designing a workshop for the iHub team.

Taking the step to switch your development team from a long-established programming language (C++) to a new one is never easy. When your game is software security and essential cryptography that is certainly the case.

We drew up a plan that consisted of preparation material and a full-day workshop in two parts: a quick run-through of the basics of Rust, and in the afternoon interop of C and Rust. Our Rust developers Ruben and Folkert the respective workshop leaders.

About iHub

iHub is Radboud University's interdisciplinary research hub on digitalization and society. It is the link between the universities' security and privacy research and the practical application of that technology.

iHub logo

iHub runs several ground-breaking projects. Among their initiatives are privacy technologies IRMA and PEP. If you feel like it, read more about iHub's mission here. We'll get back to PEP in a later blog post.

Target audience

The goal of the workshop is to introduce iHub's researchers and security developers to Rust. Because most security-related code is still written in C, the workshop needed to cover integrating C and Rust. In general, the workshop should make sure that iHub is well-prepared for its Rust deep-dive in the coming months.

In designing the workshop we could safely assume a high level of understanding of concepts in programming languages in general and in C++ specifically, i.e. assume the audience are quick learners. We felt we could go through the basics a little quicker than usual.

Flip the classroom

Fun fact: also present in the audience was Bart Jacobs, a renowned professor of security and privacy at Radboud University, where most of us studied. He recently received the Stevin Prize 2021, the highest award in Dutch science. Lecturing the professor you studied under is a very rewarding achievement. Full circle for Ruben and Folkert.

Outline of the workshop

To give you an idea of the workshop's contents, we will give you an outline here. Have a look at our Github for more.

The first slide lists the goals for the day:

  • Get a feeling of the language, but it will take time to fully learn Rust
  • Trusting your tools, so that you can focus on the important stuff
  • Core concepts that can help you even if you never write another line of Rust

Starting with variables, types and control flow, the morning continued all the way through to memory management, ownership and borrowing, error handling and dependencies.

Enums in Rust

It was a great morning session with a lot of questions and interaction throughout.

In the afternoon Folkert covered interop in the second part of the workshop called "Bridging the gap: Making Rust and C play together", using exercises to get a feel for practical application.

Using C from Rust

The crc-in-c exercise can be found here.

Folkert also covered a more extensive example using TweetNaCl, the "crypto library in 100 tweets", touching on the subject matter that iHub's developers deal with daily.

Crypto library TweetNaCl bindings

The exercise source code is here.

iHub's takeaways

Bernard was very pleased with the workshop, the exercises and the interaction in the group, and said he's convinced Rust will provide a step forward, even though iHub already had strict C++ guidelines and best practices in place:

Rust gives me the peace of mind to bring new developers in quickly, even in critical projects. That is because Rust’s language features and tools prevent subtle problems that for example, a developer in C++ needs years to master. Looking beyond the benefits for the individual, it is easier for team members to work on each other's projects and help out, and share code or modules.

That these weren't just kind words, was proven shortly after the workshop when iHub decided to immediately start using Rust in a bunch of their upcoming projects.

Conclusion

It's a great experience to get a group of motivated engineers started with Rust. We are happy to see interest in Rust on the rise in important application areas such as security research. A great fit if you ask us.

(our services)

Want to explore Rust?

We offer:

  • introductory talks
  • knowledge-sharing presentations
  • off-the-shelf or tailor-made workshops

Download a conversation starter to share with your colleagues!

Download leaflet

Interested in working with Rust? Check out our Rust page.

researchsecurityrust

Stay up-to-date

Stay up-to-date with our work and blog posts?

Related articles

Thanks to funding from NLNet and ISRG, the sudo-rs team was able to request an audit from Radically Open Security (ROS). In this post, we'll share the findings of the audit and our response to those findings.
open-sourcesecuritymemory-safetyrust
Read article
One of the hot topics in software security is memory safety. This article covers two questions: What is it? And why do we think it is worth investing in?
securitymemory-safetyrust
Read article

At Tweede golf we are convinced that if software is written in Rust, it will be more robust (compared to legacy languages such as C, C++ or Java), and more efficient (compared to code written in PHP or Python and again, Java).

In order to get more robust software out there, we have to get Rust code running on computers of people who are not themselves Rust developers.

securitymemory-safetyrust
Read article