Our Great Refactor initiative seeks to change the tides of the software security landscape. Using just-in-time compilation, it instantly converts vulnerable code into the secure programming language Rust. This ambitious project is set to launch in early 2024. Its mission is to rewrite 100 million lines of code from key open-source software libraries into Rust by the year 2030. The initiative has garnered the U.S. federal government’s $100 million financial investment. It’s worth noting that this much funding could stop more than 1,000 of the currently known, publicly disclosed cyberattacks that have led to $2 billion in losses.
Rust’s first stable release was in 2015, and it was an immediate sensation. It has performance on par with C and C++, yet with outstanding memory safety guaranteed. The initiative proposes the establishment of a “Focused Research Organization” that will drive research and development efforts to facilitate this transition.
Objectives and Funding
The long-term goal of The Great Refactor is to improve software security by default, by eliminating vulnerabilities baked into codebases that already exist. By moving more of the codebase to Rust, developers are able to take advantage of the language’s built-in safety features to reduce vulnerability to cyberattacks. With the program expected to receive the highest level of federal funding yet, its central role in strengthening national cybersecurity capacity could not be clearer.
The project is led by Herbie Bradley, an ESA Ph.D. student at the University of Cambridge. He encourages communities to be intentional about the conversion process.
“Possibly you’d want to take a little more care in the conversion and maybe use AI to help you, but very carefully,” – Herbie Bradley
The project’s goal is to involve the six participating teams in a process that allows them to experiment with different approaches and methods. These teams will not only rely on generative AI tools but use tried-and-true conversion techniques, using generative AI when it makes sense to do so. The initial submissions from these teams were due in December, and an evaluation team is now reviewing those submissions to determine which teams will be funded.
Challenges and Considerations
While AI offers great potential in automating code translation, there are still hurdles to overcome. The tiny developer ecosystem surrounding Rust is a real worry. There are an order of magnitude less experts in Rust than there are in C and C++. As Jessica Ji, a senior research analyst at Georgetown University’s Center for Security and Emerging Technology, illustrates here.
“There are a lot fewer Rust experts out there than C/C++ experts, so the number of expert eyes on the codebase(s) will likely be fewer.” – Jessica Ji
It can, for example, help automatically translate large blocks of legacy code into new languages like Rust, says Ji. Ongoing maintenance and monitoring will always be necessary.
“Assuming everything goes well with the AI translation, the resulting Rust code will need to be maintained and monitored somehow,” – Jessica Ji
Josh Triplett, an open-source developer contributing to the Rust project, warns that AI-translated code may complicate maintenance efforts due to its complexity. He warns that this sort of code is harder for human engineers to code-review. It’s usually more difficult to deal with than code that’s been manually converted.
“If you do AI-translated code, you are likely to end up with code that is difficult for a human to maintain compared to what was manually translated,” – Josh Triplett
The Role of AI in Software Development
As exciting as the opportunities with AI might be to help develop software, the technology does have its limitations. Dan Wallach, a researcher involved in the project, notes that decades of research exist regarding software analysis and development practices. He’s a big proponent of using traditional analytics approaches alongside the new things that AI can do.
“AI seems promising, but also we have decades of research into writing software to analyze other software,” – Dan Wallach
Wallach says that The Great Refactor wants to figure out better ways of bringing classical computer science techniques in. Maybe even bringing these together with 21st century AI techniques.
“The whole point of TRACTOR is to explore all the different ways you might mix and match, for lack of a better term, classical computer science with modern AI,” – Dan Wallach
The initiative reflects a growing trend in the tech industry. Harnessing AI to improve software security and efficiency. As stakeholders walk this tightrope, they recognize the need for strong federal oversight and continued evaluation.