Introducing Rust in security research

Taking the step to switch your development team from a long-established programming language (C++) to a new one is never easy. When your game is software security and essential cryptography that is certainly the case.

We drew up a plan that consisted of preparation material and a full-day workshop in two parts: a quick run-through of the basics of Rust, and in the afternoon interop of C and Rust. Our Rust developers Ruben and Folkert the respective workshop leaders.

About iHub

iHub is Radboud University's interdisciplinary research hub on digitalization and society. It is the link between the universities' security and privacy research and the practical application of that technology.

iHub runs several ground-breaking projects. Among their initiatives are privacy technologies IRMA and PEP. If you feel like it, read more about iHub's mission here. We'll get back to PEP in a later blog post.

Target audience

The goal of the workshop is to introduce iHub's researchers and security developers to Rust. Because most security-related code is still written in C, the workshop needed to cover integrating C and Rust. In general, the workshop should make sure that iHub is well-prepared for its Rust deep-dive in the coming months.

In designing the workshop we could safely assume a high level of understanding of concepts in programming languages in general and in C++ specifically, i.e. assume the audience are quick learners. We felt we could go through the basics a little quicker than usual.

Flip the classroom

Fun fact: also present in the audience was Bart Jacobs, a renowned professor of security and privacy at Radboud University, where most of us studied. He recently received the Stevin Prize 2021, the highest award in Dutch science. Lecturing the professor you studied under is a very rewarding achievement. Full circle for Ruben and Folkert.

Outline of the workshop

To give you an idea of the workshop's contents, we will give you an outline here. Have a look at our Github for more.

The first slide lists the goals for the day:

• Get a feeling of the language, but it will take time to fully learn Rust
• Trusting your tools, so that you can focus on the important stuff
• Core concepts that can help you even if you never write another line of Rust

Starting with variables, types and control flow, the morning continued all the way through to memory management, ownership and borrowing, error handling and dependencies.

It was a great morning session with a lot of questions and interaction throughout.

In the afternoon Folkert covered interop in the second part of the workshop called "Bridging the gap: Making Rust and C play together", using exercises to get a feel for practical application.

The crc-in-c exercise can be found here.

Folkert also covered a more extensive example using TweetNaCl, the "crypto library in 100 tweets", touching on the subject matter that iHub's developers deal with daily.

The exercise source code is here.

iHub's takeaways

Bernard was very pleased with the workshop, the exercises and the interaction in the group, and said he's convinced Rust will provide a step forward, even though iHub already had strict C++ guidelines and best practices in place:

Rust gives me the peace of mind to bring new developers in quickly, even in critical projects. That is because Rust’s language features and tools prevent subtle problems that for example, a developer in C++ needs years to master. Looking beyond the benefits for the individual, it is easier for team members to work on each other's projects and help out, and share code or modules.

That these weren't just kind words, was proven shortly after the workshop when iHub decided to immediately start using Rust in a bunch of their upcoming projects.

Conclusion

It's a great experience to get a group of motivated engineers started with Rust. We are happy to see interest in Rust on the rise in important application areas such as security research. A great fit if you ask us.

Interested in working with Rust? Check out our Rust page.