In a radical intervention to make the world’s software more secure, the U.S. government initiated The Great Refactor program in 2024. This exciting new effort will help automatically port vulnerable code from memory-unsafe languages such as C and C++. It then takes all that code and converts it into the impossibly secure programming language Rust. We’re committed to having 100 million lines of code from critical open-source software libraries converted by 2030. This ambitious goal is a much-needed step to lower the barrage of million-dollar-plus cyberattacks that have resulted in cumulative losses of over $2 billion.
The U.S. government has subsidized the program with their investment of $100 million. With project lead Herbie Bradley at the helm, it is making great strides. The initiative uses cutting-edge AI-powered coding tools to help make this massive change a reality. During that same testimony, memory-safety exploits accounted for nearly 70 percent of software vulnerabilities. This new program is poised to make a big impact on the reliability and security of our software.
Addressing Software Vulnerabilities
The need for The Great Refactor program is compounded by the continued dominance of memory-unsafe languages. Even with their widespread adoption, these languages and apps have been tied to much larger vulnerabilities that bad actors can take advantage of. Rust made his debut back in 2015. Instead, it stands out as the most compelling alternative precisely because it guarantees memory safety and high performance, both essentials for many applications.
The program’s ultimate aim is to thwart hundreds of future cyberattacks from the translation of vulnerable code. By moving important software libraries to Rust, the effort hopes to remove major threats from programming languages, like C and C++. As Herbie Bradley reminded us, we must proceed with caution and care as we navigate this transition.
“Possibly you’d want to take a little more care in the conversion and maybe use AI to help you, but very carefully,” – Herbie Bradley
As the evaluation team analyzes the initial results submitted by six participating teams in December, it becomes evident that multiple strategies are being employed. These two types of teams couldn’t be more different. Some do AI all the way, and some just take classical conversion tools, and you generative up those models.
The Role of AI in Code Conversion
To be sure, the incorporation of AI tools is the most important side of The Great Refactor. These tools are intended to simplify and accelerate the conversion process, while recognizing the difficulties involved in any software conversion. As usable as AI sounds, experts warn it’s not the full answer.
Jessica Ji elaborated on why the AI is great for converting existing code to Rust. She emphasized that continued maintenance and monitoring would be crucially important.
“Assuming everything goes well with the AI translation, the resulting Rust code will need to be maintained and monitored somehow,” – Jessica Ji
Additionally, she warned that the current shortage of Rust specialists might create problems when it comes to upkeep of these new codebases that have been converted.
“There are a lot fewer Rust experts out there than C/C++ experts, so the number of expert eyes on the codebase(s) will likely be fewer,” – Jessica Ji
This sentiment reflects a broader concern among experts regarding the viability of relying solely on AI for such a critical task.
“If you do AI-translated code, you are likely to end up with code that is difficult for a human to maintain compared to what was manually translated,” – Josh Triplett
The Great Refactor program is not just a conversion. It removes the barriers to exploration and innovation that typically stifle software development. The approaches used by the teams to participate vary greatly. This diversity provides important lessons on the intersection of deep classical computer science techniques and state-of-the-art AI.
Exploring Different Approaches
The promise of AI really is substantial. Wallach stressed that it’s critical not to ignore decades of work in the field around the analysis of software.
This thoughtful viewpoint is a reminder of the need for great consideration when employing AI in software development. This is particularly relevant for popular public open-source libraries.
“The whole point of TRACTOR is to explore all the different ways you might mix and match, for lack of a better term, classical computer science with modern AI,” – Dan Wallach
“AI seems promising, but also we have decades of research into writing software to analyze other software,” – Dan Wallach
This nuanced perspective underscores the need for careful consideration when leveraging AI in software development, particularly for widely used open-source libraries.