Recently, the Great Refactor initiative has kicked off to address these risky security vulnerabilities that occur in software. This endeavor includes turning important code into Rust, a programming language known for its focus on safety. The project launched in early 2024. The goal is to rewrite 100 million lines of code in key open-source software libraries to Rust by 2030. This premiere project aspires to capitalize on emerging AI-powered coding tools. By pairing them with more conventional code analysis techniques, we will ultimately automate the conversion process.
Paid for by the U.S. federal government, the newly introduced initiative calls for creating one single “Focused Research Organization” that would coordinate the conversion. This project is timely as memory-unsafe languages such as C and C++ remain industry gold standards. They account for more than 70% of software vulnerabilities. Herbie Bradley, a Ph.D. student at the University of Cambridge, is spearheading the project. He illustrates how this program has the potential to significantly improve cybersecurity.
Project Objectives and Structure
The Great Refactor Software Security Initiative is working to improve this. It accomplishes this in part by rewriting current vulnerable code into Rust. This cutting edge, safe, high-level language can deliver performance on par with C and C++. At the same time, it offsets this by introducing memory safety features that prevent many common programming mistakes and related consequential security vulnerabilities. The goal of the initiative is to have a Rust version of any major library you could think of within five years or so.
In order to realize these objectives, the connected vehicle program convened six research teams. Each squad is digging deep into various approaches to the code translation process. These teams utilize an incredibly diverse set of strategies. Some jump in full-throttle with AI tools, and others continue as they have for years using traditional conversion techniques with limited or no support from AI. The evaluation team is currently reviewing these teams’ submissions. They’re developing and prioritizing important criteria, such as correctness, performance, and maintainability on the converted code.
“There will never be a silver bullet for AI being 100 percent robust against doing the wrong thing, whether it is by hallucinating or by not understanding the assignment.” – Herbie Bradley
The sticky wicket is much more than just the painful process of conversion. It’s really important that whatever code you get at the end of the day is maintainable and monitorable. That’s an enormous problem, according to Jessica Ji, a senior research analyst at Georgetown University’s Center for Security and Emerging Technology. We’ll need to be vigilant with any AI-translated code to ensure its continued functionality and reliability.
Funding and Challenges Ahead
Getting funding from the U.S. federal government for such a large and sprawling project is no simple task. Ji emphasizes that if the national initiative fails to convince local and state policymakers of the need to support it, it won’t succeed on any meaningful scale. The proposed budget for the Great Refactor initiative stands at around $100 million, which Herbie Bradley estimates could prevent hundreds of cyberattacks with cumulative losses potentially reaching $2 billion.
The initiative’s success will depend on how well it strikes a balance between AI advancement and persuasive, proven computer science pedagogy. Dan Wallach on the potential of AI tools. He cautions against skipping over the past 30 years of software analysis research to chase shiny new technology.
“AI seems promising, but also we have decades of research into writing software to analyze other software.” – Dan Wallach
Though there are still hurdles to funding and maintainability, Bradley is hopeful the proof-of-concept project will serve as an impetus to expand and innovate in cybersecurity. With the right level of investment and purposeful implementation, we could make real progress on software security,” he says.
The Future of Code Conversion
While moving our Great Refactor initiative forward, there will be some broader implications with creating legacy code into Rust. Security is just part of it. The initiative will hopefully drive further Rust adoption by developers, as more mature libraries are created and contributed to the ecosystem. Experts warn that the move to low-emission buildings won’t be so smooth.
Josh Triplett, an open-source developer, who is deeply involved with the Rust project. This final point underscores the most important piece of advice when using AI to translate code. He warns that AI-generated code might ultimately be more challenging for human engineers to maintain compared to manually translated alternatives.
“If you do AI-translated code, you are likely to end up with code that is difficult for a human to maintain compared to what was manually translated.” – Josh Triplett
The blend of AI technologies and classical software engineering methods will play a vital role in determining the project’s overall success. As teams submit their results and refine their approaches, the goal remains clear: create secure and maintainable software infrastructures that can withstand future cyber threats.