What you'll learn:
- How does Rust stack up against C and Ada for safety-critical applications?
- The issues that may be curtailing adoption of Rust.
- Case study of using Rust.
Do we really need a new programming language? With so many options already out there, it can seem excessive to create something new. What we have seen, though, is that these languages are either too general or too specialized.
At one end of the spectrum, Java and Python cater to a large set of use cases in the enterprise. Meanwhile, a language like Ada probably falls in the “too specialized” category. As a result, few people learn them, and the talent pool shrinks. A friend of mine told me that he said to his daughter that if she wants a job for life, she should learn Ada!
To be fair, I don’t think any language was specifically created with safety certification in mind. Languages like Python do memory management for the programmer, but with an interpreted language like Python, the programmer starts to lose the flexibility, freedom, and power that they love to program low-level hardware.
Furthermore, in the context of a safety-critical or security-critical application, all tools need to be certified. In the case of Python, the whole interpreter needs to be certified for it to be used in a mission-critical system, which becomes commercially impractical.
In a language like C, the burden of managing memory is all on the programmer, who is required to define the pointer needed to allocate the required memory before it can be used and must free the memory at the end. If the programmer forgets to do so, then you essentially have a memory leak, and eventually the program will crash.
In the hands of a competent programmer, C can be extremely powerful. You can do things in C that aren’t possible with any other language. However, guardrails like coding standards are needed, along with static-analysis tools and a newer set of tools to perform semantic analysis on your code.
Consequently, we often see a push to add MISRA coding standards, originally developed for the automotive industry, to instruct programmers on what they should/shouldn't do to make C/C++ suitable for safety-critical applications.
The Case for Rust
So, today, despite the challenges, companies creating systems that need to be safety and/or security certified default to developing in C, or C++, or Ada. Indeed, we have seen that the standard C++ library in most operating systems is upwards of 100,000 lines of code. With somewhere between two to four hours of time needed to certify each line of source code to ASIL D or DO178 DAL A levels, companies only pick the minimum subset of functionality required in C++ to manage the code base that needs to be taken through the certification process.
Ada, developed in the early 1980s, faces challenges due to its legacy status. While it offers capabilities that make it more conducive for safety and security applications, Ada is rarely taught in colleges anymore. This has led to a shrinking pool of programmers as those originally trained in the language start to retire.
One of the reasons security vulnerabilities can occur is due to a programmer using a language that offers too much freedom. Programmers want to be able to leverage the power of the language to develop efficient programs. This power is enticing as it can offer shortcuts or efficiency of how code is written, but it also has the potential of causing challenges further down the line once systems are deployed.
The MISRA coding standard could arguably be regarded as an afterthought. It provides 150+ rules on what can and cannot be done in C to place limits on the freedom offered by C. Effectively, MISRA attempts to corral developers into following a particular path: Don't use recursion; don't use pointers in a bad way; don’t use “go to” commands, etc.
We see this as an opportunity for Rust. It eliminates some of the key problems that exist with pointer management and manages memory without using garbage collection. The other primary appealing element of Rust is that its syntax is very similar to C. There are some obvious key differences, but it’s not the same as comparing a C program with one written in Ada.
Such familiarity becomes a feature in a way, serving as a catalyst for better adoption by C programmers. C programmers can be cynical particularly toward languages that don't give them the level of functionality and freedom they're used to. Rust attempts to provide such programming freedom while eliminating common sources of challenges that would affect safety and security. Moreover, some very efficient C/C++ to Rust converters help the migration.
What Barriers are Hindering Rust Adoption?
Companies like Amazon, Google, and Microsoft are adopting Rust, so in a way one could argue that there are no barriers! But for more deeply embedded systems, especially where safety and/or security certification are required, some gaps in the ecosystem need to be addressed.
Let me first state that there’s been some incredible progress this year. In July 2023, AdaCore announced early access availability of GNAT Pro for Rust. This enables customers to develop safety- and security-certifiable embedded applications using Rust while benefiting from the stability, security, and dependability from an established tools provider to the embedded market.
Then in October 2023, Ferrous Systems announced that it’s publishing Ferrocene, the Rust compiler for safety-critical and cybersecurity use, as an open-source project under the classic Rust license: Apache-2.0 OR MIT. Ferrocene is the main Rust compiler, but quality managed and qualified for use in automotive and industrial environments. All changes Ferrous made to improve compiler quality are in the main Rust project. Ferrocene 23.06.0 will be the first release of Ferrocene to be qualified according to ISO 26262 (ASIL D) and IEC 61508 (SIL 4).
From a safety ecosystem standpoint, it’s fair to say we’re still in the embryonic stage. For example, there’s no official coding standard for Rust yet, although some attempts have been made to define a MISRA-C equivalent for Rust. In addition, no commercial tool exists to perform static analysis, which can certainly be worked around as some of the open-source tools offer some static-analysis capabilities.
More challenging are aspects like code coverage. Today, there’s no qualified commercial tool we’re aware of that provides this for the Rust ecosystem. What that means is, if you have a Rust program and you need to certify it, there’s no mechanism to get code coverage at the source level.
We also lack a functionally safe set of libraries. Current offerings address more general-purpose use cases as opposed to functional safety.
Lynx’s Experience with Rust
Lynx started working with Rust in 2022. We engaged with a third party, Ferrous Systems, to create a basic Rust package to enable our customers to create Rust applications for both LynxOS-178, our DO-178C-certified real-time operating system, and LynxElement (our unikernel).
Our first focus was to enable a program written entirely in Rust to access our C libraries. It turned out to be fairly straightforward, which in itself, is a huge benefit. This is because we envision a very long phase, especially associated with upgrades to legacy systems, brownfields if you will, where there’s a desire to reuse existing, proven software while delivering new functionality using Rust. This important milestone proved that the “mix and match” environment is viable.
Our approach to using Rust is threefold:
- Helping customers create Rust programs and use them seamlessly with other Lynx software, including C libraries. As mentioned above, we’re well on the way here.
- Convert certain programs and create new programs in Rust, which has no requirement for certification to be initiated.
- With the safety ecosystem in place, broaden the use of Rust across Lynx’s DO-178 DAL-certified products.
Where are We Headed as an Industry?
Based on what we’re hearing in the ecosystem and end customer interest, this is what we believe is achievable in the next three years.
First, in terms of general embedded industry support, I predict that we will have:
- Commercial Rust development environments that include compiler, debugger, and standards libraries.
- A breadth of real-time operating systems, both proprietary and open source, supporting execution of Rust applications (i.e., providing native libraries).
- Commercial integrated development environments (IDEs) that offer seamless Rust support.
- A number of code examples and, potentially, tools to assist companies in the migration of Ada, C, and C++ code to Rust.
From a safety ecosystem standpoint, the following gaps mentioned above will have to be filled along with the following additional considerations:
- Compiler qualification
- Coding rules for Rust (such as MISRA-C)
- Static-analysis tool support
- Code-coverage tool support
The programming world is constantly evolving, with new languages emerging to address limitations in existing options. While languages like C, C++, and Ada still dominate in systems requiring certification, they pose challenges for safety and security. Newer languages, meanwhile, often prioritize convenience over control.
Learning More About Rust
The ideal language for certified systems would blend power, safety, and accessibility. Rust, with strong memory management, standards, and optimized code, could become the new gold standard.
The search continues for this ideal programming language—one that empowers developers while preventing critical failures. It would be a breakthrough that makes software more reliable across industries dealing with mission-critical systems. The benefits of its development deserve continued attention and resources. Any broad adoption of Rust will require a whole new generation of programmers trained in Rust.
If you’re interested in learning more, here are a few resources I recommend:
- A Rust training class created by Google on Github.
- The Rust Blog.
- The blog by Ferrous Systems. It’s been heavily involved in creating practical Rust solutions for a diverse set of markets, including the federal market, with Lynx, as well as for the industrial and automotive sectors.
- Shane Miller, an advisor to the Rust Foundation and a Fellow for the Atlantic Council working as part of their Digital Forensic Research Lab: https://twitter.com/SkippersWif.