In 2024, the U.S. federal government implemented The Great Refactor program. This very ambitious initiative is all about improving software security by transforming vulnerable code into the memory-safe programming language Rust. This program is a direct response to the acute cybersecurity crisis we’re facing today. It shows the dangers of using memory-unsafe languages such as C and C++, which are responsible for about 70 percent of software vulnerabilities. The Great Refactor is a campaign to rewrite at least 100 million lines of code from core open-source software libraries into Rust by 2030. This bold new endeavor aims to stop future damages from cyberattacks, estimated at nearly $2 billion.
Rust exploded onto the scene in 2015 and soon became a household name. It competes with C and C++ performance while providing memory safety. The Great Refactor will employ AI-powered coding tools to increase the productivity of the refactorization process. This improvement is intended to dramatically improve the security of thousands of software applications that underlie our new technology infrastructure.
Goals and Funding of The Great Refactor
As project lead Herbie Bradley noted, that conversion has to be done thoughtfully. He stated, “Possibly you’d want to take a little more care in the conversion and maybe use AI to help you, but very carefully.” This requires a whole other level of precision and detail. We need to make sure that the resulting translated code is at high standards required to guarantee secure software.
The teams in The Great Refactor have each taken different approaches. Some test-makers have rushed to adopt AI almost entirely, while others have kept the vast majority of their tests focused on conventional conversion tools. High-fidelity key performance indicators assess the impact these teams are having. Beyond that, they emphasize producing code with high correctness and performance. The resulting Rust code should be sound and performant.
Challenges and Considerations
Despite the optimistic outlooks about AI being able to change the game for writing code, experts have voiced concerns about its shortcomings. Bradley noted that “There will never be a silver bullet for AI being 100 percent robust against doing the wrong thing, whether it is by hallucinating or by not understanding the assignment.” This caution underscores the need for human oversight in the process to mitigate potential errors that could arise from automated translations.
Jessica Ji, a leading voice in software security, emphasized other hurdles in keeping AI-translated code live and up to date. She commented, “Assuming everything goes well with the AI translation, the resulting Rust code will need to be maintained and monitored somehow.” Moving to Rust might expose you to new maintenance burdens. This is doubly the case given the relative scarcity of Rust experts compared to those trained in C and C++. Ji added, “There are a lot fewer Rust experts out there than C/C++ experts, so the number of expert eyes on the codebase(s) will likely be fewer.”
Additionally, Josh Triplett wrote about the long-term maintainability of AI-translated code. He expressed that “If you do AI-translated code, you are likely to end up with code that is difficult for a human to maintain compared to what was manually translated.” This view showcases the necessity of focusing on code quality during re-architecture and the later stages of the migration process.
Exploring New Frontiers in Software Development
The Great Refactor is off to an inspiring start. It will help find cutting-edge ways to combine techniques of classical computer science with the newfound powers of AI. Dan Wallach highlighted this aspect, stating, “The whole point of TRACTOR is to explore all the different ways you might mix and match, for lack of a better term, classical computer science with modern AI.” We believe that this exploration has the potential to make historic advances in the way we build and maintain software.
Wallach acknowledged that while AI seems promising for code translation, it is essential to leverage decades of research dedicated to software analysis. He stated, “AI seems promising, but we have decades of research into writing software to analyze other software.” Together, this dual approach could bring significant improvements to safety and efficiency in software development.