The Great Refactor initiative to increase software security. It achieves this by bringing high-risk code from managed languages to the safety-first language Rust. The program that finally rolled out in 2024. Especially it’s a look into how new generative AI tools might complement existing, more traditional, code analysis techniques to help automate that translation process. The initiative plans to convert 100 million lines of code in critical open-source software libraries into Rust by 2030, with an estimated investment of $100 million from the U.S. government.
Rust made its debut in 2015. It provides all of the capabilities and performance of C and C++, with better memory safety integrated into the language. As memory-unsafe languages such as C and C++ are far from going away, they’ll continue to be a major contributor to software vulnerabilities. Approximately 70 percent of these vulnerabilities are the result of memory-safety attacks. The Great Refactor aspires to do just that with its audacious goals.
A Focused Research Organization
As a distinct effort within The Great Refactor initiative, the U.S. government plans to partially fund a “Focused Research Organization.” This new organization will take the lead on the conversion process. It will help six teams learn how to translate code into Rust in various ways.
From innovative funding models to equity-driven planning, these teams employ a diverse array of tactics. While some are all-in on AI tools, others are committed to classical conversion approaches with generative models limited to specific tasks for optimization. Opposite approaches simultaneously demonstrate a terribly naive understanding of the other side’s approach. Tethered to notes, they are advocating for an innovation in software development practices.
The teams turned in their initial Deliverables in December, and an Evaluation Team is still picking through the teams’ initial Deliverables with a fine tooth comb. Herbie Bradley, a Ph.D. student at the University of Cambridge and the project’s principal investigator, cautions against an all-or-nothing approach to AI-assisted conversions.
“Possibly you’d want to take a little more care in the conversion and maybe use AI to help you, but very carefully,” – Herbie Bradley
With this new initiative, the Biden administration is taking an unprecedented step to address vulnerabilities lurking in legacy codebases. It further underscores the opportunity AI presents to dramatically improve software security.
Addressing Software Vulnerabilities
The Great Refactor’s goal is to rewrite 100 million lines of our most vulnerable code into Rust. We want to do this by 2030. This effort is about much more than translating code. More importantly, it proactively helps the nation to avoid costly cyber attacks that could have enormous impact on the economy. Estimates suggest that by enhancing code safety, the initiative could avert hundreds of cyberattacks with cumulative losses reaching approximately $2 billion.
Jessica Ji is a senior research analyst at Georgetown University’s Center for Security and Emerging Technology. She emphasizes the work yet to come even after we have AI translations.
“Assuming everything goes well with the AI translation, the resulting Rust code will need to be maintained and monitored somehow,” – Jessica Ji
“There are a lot fewer Rust experts out there than C/C++ experts, so the number of expert eyes on the codebase(s) will likely be fewer,” – Jessica Ji
These statements underscore the importance of not only translating code but ensuring its maintainability and security in the long term.
The Role of AI in Software Development
Learn more about our Great Refactor initiative, which seeks to identify the most effective, safe, and equitable ways to integrate AI into software development processes. Though promising, experts urge caution and warn against over-reliance on AI to translate code. The promise of AI-generated code does come with significant risks, cautions Josh Triplett, an open source developer who’s been involved in the Rust project since its inception.
“If you do AI-translated code, you are likely to end up with code that is difficult for a human to maintain compared to what was manually translated,” – Josh Triplett
Dan Wallach, an expert in computer science, echoes these sentiments by emphasizing the importance of blending classical methods with modern AI techniques.
“AI seems promising, but also we have decades of research into writing software to analyze other software,” – Dan Wallach
“The whole point of TRACTOR is to explore all the different ways you might mix and match, for lack of a better term, classical computer science with modern AI,” – Dan Wallach
These perspectives continue to illuminate the tension between finding efficiencies in the software development process and maintaining an efficient, flexible approach to emerging technologies.