Google noticed a significant decrease in vulnerability in the Android operating system transition to safer programming languages, such as Rust. Over six years, the number of vulnerabilities detected related to memory safety decreased from 76% to 24%. This step became part of the initiative “Secure by Design”, which the company is now actively adhering to.
The focus on safe development made it possible to reduce the overall risk associated with the protection of the code, and to make the transition to new technologies more scalable and economically effective. Over time, such changes lead to a decrease in vulnerability associated with memory, and to the fact that safe programming becomes dominant in the new development.
It is interesting that a decrease in vulnerabilities is observed even against the background of an increase in the volume of the new code, which is not always completely safe. According to studies, most vulnerabilities are found in a new or recently changed code. Thus, the more the code “matures”, the less vulnerabilities are found in it, which confirms the need for fundamental changes in the approaches to development.
Google began support for Rust for Android in 2021, priority promoting the transition to safe languages since 2019. As a result, over the past five years, the number of identified problems with memory safety has decreased from 223 in 2019 to less than 50 in 2024.
The main contribution to the reduction of such vulnerabilities has also made more advanced methods of combating them, including the use of the so-called clang-satizers. in the future The company plans to develop a memory security strategy, paying more attention to “highly efficient” methods of preventing problems and integrating safety principles at all stages of development.
For Google, an important step was the creation of compatibility between Rust, C ++ and Kotlin. This allows you to use a practical and gradual approach to the introduction of safe languages, avoiding the need to rewrite code from scratch. This approach allows you to effectively use the “attenuation” of vulnerabilities: when the addition of new problems stops, their number decreases rapidly.
Recently, Google also announced about the expansion of cooperation With the ARM security team, aimed at strengthening the security of the GPU-steak in the Android ecosystem. This made it possible to identify and eliminate several vulnerabilities, including two problems in the customization of the Pixel drivers ( cve-2023-48409 and cve-2023-48421 ), as well as vulnerability in micro -oprophrams ARM Valhall GPU ( cve-2024-0153 ).
Thus, proactive testing and new approaches to safe coding help Google to reduce risks and effectively solve problems before their possible operation.