Can Rust Really Outperform C in Real‑World Security? A Hands‑On Experiment Reveals Why

Intro: Tweede Golf, a Dutch Rust software‑consultancy, set out to expose memory‑related bugs and prove Rust’s super‑powers in protecting billions of devices.

Rust’s popularity in safety‑critical applications is backed by concrete evidence from this experiment.

Software flaws can affect countless devices—from ultrasonic machines to avionics—making language choice crucial.

Arcjet CEO David Mytton highlights Rust’s three killer features: innate memory safety, strict compile‑time checks, and excellent testing experience.

30‑Billion‑Device Nightmare

In 2021 researchers discovered a severe vulnerability (NAME:WRECK) in Siemens’ Nucleus RTOS, which runs on 3 billion devices. The bug lets attackers inject malicious DNS responses, causing crashes or full control.

By forging a malicious DNS response, attackers could trick Nucleus into writing to forbidden memory locations, jeopardizing ultrasonic machines, storage systems, and avionics.

Experiment: Rust vs. C in Real‑World Security

Tweede Golf gave four engineers (two staff, two interns) a brief on the DNS message format (RFC1035) and asked them to produce a safe solution in Rust within a few hours.

The engineers were unaware they needed to reproduce the vulnerable C code. They fed the same problematic inputs that crash the original C implementation into their Rust versions.

Results: Safer Design

Out of 12 test cases, the original C code failed 7 times, while none of the Rust implementations exhibited any arbitrary code execution.

All Rust solutions featured “panic safety”: malicious inputs trigger recoverable errors instead of system crashes, and each engineer wrote extensive test suites, including fuzzers that auto‑generate problematic inputs.

Developer Trade‑offs

Open‑source maintainer Alex Gaynor notes that decoding DNS messages should never be a security‑critical surface, yet unsafe languages make it so.

ISRG co‑founder Josh Aas praises the study as compelling evidence that memory‑safe languages materially improve system security.

Immunant CEO Per Larsen says the experiment, though smaller than Google’s findings, still validates Rust’s promised security impact.

Speed Advantage

The most surprising outcome was development time: a safe C implementation of the same functionality took at least three times longer than the Rust version.

Marc Schoolderman explains that Rust not only prevents mistakes but also enables faster, safer code production.

Why Rust Succeeds Where C Struggles

The underlying C bug stems from unchecked memory offsets, implicit trust of input data, potential infinite loops, and missing buffer‑overflow checks.

Unchecked memory offsets allow arbitrary reads/writes.

Implicit trust of input data without validation.

Potential infinite loops due to circular references.

No checks to prevent output buffer overflow.

Rust’s design avoids these issues by default:

1. Memory‑Safety Guarantees: The ownership system makes buffer overflows and use‑after‑free virtually impossible unless safety checks are explicitly bypassed.

2. Expressive Type System: Encourages clear data validation and explicit error handling.

3. Testing Culture: Rust’s ecosystem emphasizes property‑based testing and fuzzing, catching edge cases developers might miss.

Beyond Academic Examples

Similar DNS‑related bugs were found in four other network libraries (collectively named NAME:WRECK). The experiment adds empirical support to claims from Google, Microsoft, and others that memory‑safe languages dramatically reduce vulnerability risk.

The Future of Systems Programming

As embedded, IoT, and critical‑infrastructure devices become ever more interconnected, the cost of security flaws escalates. Tweede Golf’s findings demonstrate that modern memory‑safe languages like Rust provide a viable path forward, delivering both safety and faster development of reliable systems.

David Mytton concludes that for system‑level network code, Rust is currently the best tool, and he sees little reason to continue using C for such tasks.

Editor: 手扶拖拉斯基

Related reading:

Why is Microsoft porting TypeScript to Go instead of Rust?

2024 Rust Survey: Most Developers Worried About the Language’s Future

PHP Critical Code Security Audit Finds Flaws