At the recent Rust Week conference in Utrecht, Netherlands, Linux stable kernel maintainer Greg Kroah-Hartman delivered a striking message: Rust is poised to rescue Linux from a rising tide of security vulnerabilities. He boldly declared, “I’m going to make even a bolder statement and say, ‘You are going to save Linux.’ Sorry, it’s all on you.” This compelling address followed intense discussions on the kernel security list, highlighting a critical moment for the operating system.
Kroah-Hartman’s urgency stems from a sudden explosion of serious Linux security holes, uncovered by advanced AI bug-detection programs. Flaws like Dirty Frag, Copy Fail, and Fragnesia are emerging at an alarming rate. With the kernel team now issuing an astonishing “13 CVEs [Common Vulnerabilities and Exposures] a day,” the traditional C-based codebase is struggling to keep pace.
The Alarming Rise of AI-Detected Bugs
Having observed every kernel security bug since 2005, Kroah-Hartman points directly to C’s traditional pitfalls in error handling and resource management. He illustrated these weaknesses with real-world examples, including a 15-year-old Bluetooth bug that improperly dereferenced a pointer and a Xen bug where a lock was forgotten in an error path. These seemingly minor issues accumulate, leading to crashes and severe vulnerabilities over time.
The majority of these kernel bugs are “tiny, minor stuff,” often involving unchecked error conditions, forgotten locks, or unreleased memory leaks. Such shortcomings, inherent to C’s design, accumulate into significant security risks. This ongoing battle with fundamental C programming errors is precisely why the Linux community is now looking for a new approach.
Rust: A New Shield for the Kernel
Kroah-Hartman emphasized that Rust’s “best beauty” lies in its ability to catch these mistakes at build time, long before they reach code review. Rust’s robust type system and ownership model enforce correctness automatically, preventing common errors that plague C code. This shift from reactive bug hunting to proactive prevention is a game-changer for kernel security.
For instance, Rust’s locking abstractions ensure that you can only access inner pointers of structures after acquiring the necessary lock, which is then automatically released. “The compiler does it, it’s guarded, the lock happens, everything’s happy,” Kroah-Hartman explained. This architectural enforcement means developers simply “can’t write code to access these values…without grabbing the lock. The compiler will not let you.”
These powerful properties are projected to eliminate a vast number of existing kernel vulnerabilities. Kroah-Hartman confidently stated that Rust will save the team from roughly “60% of the bugs in the kernel right there, they’re gone.” The advantage of build-time error detection also frees up precious maintainer time, allowing them to focus on logic rather than tedious resource bookkeeping. “Rust gives us that for free. This is the best thing ever,” he added.
Reshaping Linux: Beyond New Code
Even if Rust were to vanish tomorrow, its impact on the Linux kernel would remain profound. Kroah-Hartman credits Rust with forcing the kernel community to clean up existing C code and interfaces, openly admitting, “We stole this from Rust. Thank you. It’s a good idea.” This influence has led to the adoption of new C “guards” and scoped locks, making code both harder to write incorrectly and simpler to understand.
With thousands of developers and a limited number of maintainers, optimizing for reviewability is paramount. Rust’s influence on C patterns helps maintainers quickly verify correctness, reducing review burden and improving overall code quality. Furthermore, the Rust-for-Linux team has been instrumental in reshaping driver interfaces, making them simpler to write correctly and significantly harder to introduce flaws.
Beyond language specifics, Kroah-Hartman stressed a broader security philosophy: “All input is evil.” He borrowed this crucial insight from Microsoft Security, emphasizing the absolute necessity of validating all incoming data. Rust’s type system is being leveraged to implement an “untrusted” type wrapper and a mandatory validation method.
This innovative approach forces explicit validation at the exact point where data transitions from untrusted user space to the trusted kernel environment. This ensures that “everything’s focused” on these critical transition points, allowing reviewers to concentrate their efforts on a single, well-defined section of code responsible for data validation. This model extends even to increasingly hostile hardware, which is now considered “malicious” and untrustworthy. Kroah-Hartman believes this combination could eliminate “80% of all the CVEs we have, and that’s a huge, huge number.”
An Evolutionary Path, Not a Revolution
Despite his fervent advocacy, Kroah-Hartman is clear: Rust is not a “silver bullet” and can still introduce bugs, as demonstrated by an early Rust component in the kernel that famously had a memory error. He also firmly stated that the goal is not to rewrite the entire Linux kernel in Rust. “No, we don’t want rewrites,” he advised, encouraging developers to use Rust for new code only, leaving existing C code untouched unless they are its maintainer.
Rust’s integration into the kernel will be an evolutionary process. New hardware support, particularly for graphics drivers, is expected to lean heavily towards Rust. The Android Binder, a core interprocess communication mechanism, is a prime example of this transition, with both C and Rust implementations coexisting temporarily until the C code can be safely removed. Soon, billions of Android devices will be running Rust code within Linux.
Currently, the Linux kernel comprises 36 million lines of C code and around 113,000 lines of Rust, mostly in bindings. This reliance on bindings to interface with existing C code has presented a “chicken-and-egg problem” for developers, necessitating a slight relaxation of the usual rule against adding unused code to the kernel. Over time, as new hardware adopts Rust drivers and old C drivers naturally phase out, Rust’s footprint will grow organically.
Ultimately, what solidified Rust’s place for key maintainers, including Kroah-Hartman, is its ability to simplify code review. With CI bots enforcing proper builds and Rust’s type system guaranteeing critical invariants, maintainers can “focus on the logic” of a function, trusting that underlying resource management is handled correctly. “The Linux kernel maintainers… said the Rust experiment is over. It’s not an experiment. This is for real,” he concluded, signaling a confident, full-speed-ahead approach toward Rust’s permanent integration.
Source: ZDNet – AI
