The Shine on Rust

January 15, 2025

Blog

Although C and C++ continue to dominate embedded systems, the relatively new language, Rust, is showing promise as a language that provides much of the flexibility of older languages but with stronger guarantees of safe operation.

Elements of Rust use functional languages and other advanced concepts. But an important factor in the recent growth in Rust support is that Rust overcomes many of the memory-related problems encountered by C and C++ programmers and their users. These benefits are helping Rust gain recognition as a good choice for the development of new software modules for critical systems.

Thanks to its emphasis on reliability and memory safety, several large software companies are already major users of Rust.

Risky business

A significant difference between C/C++ and Rust lies in the treatment of pointers, which is low-overhead way to manipulate data in memory. However, pointers can be easily created and modified by a C or C++ program, making them risky to use.

Rust users can avoid this and other memory-safety issues by taking advantage of its strict rules and built-in support for memory allocation. The memory model supported by Rust also ensures that temporary memory structures will be safely deleted once they are no longer required by the program. Importantly for real-time systems, there is no need to run a garbage-collection process in the background.

The need for legacy

However, safety-critical development needs to be conservative. It is impractical and even undesirable to rewrite modules in a new language, even if its protection mechanisms offer significant advantages over legacy C or C++. Existing modules need to be verified once integrated into a target that includes large portions written in Rust or a similarly memory-safe language.

Caught in the Net

Errors caught by Rust at runtime can terminate a program completely, which is unacceptable in critical systems. Static tools can determine the likelihood of such an occurrence and warn the development team to fix any problems before product release.

There are also behaviours that are defined but not desired. For instance, some errors can trigger a “panic” state that can lead a system to crash. Detecting such unwanted behaviours is key in using an advanced static analyser for Rust.

Such tools will provide formal, verifiable proof of the absence of memory safety vulnerabilities that still exist in mixed legacy C/C++, as well as any newly written Rust code that could cause safety-critical software to behave unpredictably and dangerously. To prevent developers being overwhelmed with potential errors, there are tools that have been designed to limit the number of false positives to ensure they only point to code that is likely to suffer from memory-safety issues.

As Rust continues to make further inroads into high-criticality systems development, there will always be a need to verify that external code modules and low-level functions do not have latent issues that will disrupt operations in the field. Using additional static testing and verification ensures that developers will catch and fix undefined and undesired behaviours early in the integration cycle, and long before deployment.