The tech industry has started a revolution to make all software secure by design. One important driver of this change has been the rise of programming language Rust, released in 2015, which emphasizes safe memory practices. From our security-audit launches to the Secure Coding Practices, demand is growing. Their “The Great Refactor” initiative is to convert 100 million lines of vulnerable, buggy C code in critical open-source software libraries into Rust by 2030. This especially ambitious project hopes to win one of the highly coveted $100 million advances. It would stop more than 700 cyberattacks which cause over $2 billion in losses.
Rust has been moving up the ranks and is winning the hearts of devs. Yet, it’s still behind more developed languages such as C and C++ in terms of adoption. Its language is meant to bring performance levels on par with these languages while still offering richer memory safety guarantees. It’s true that interest in Rust is increasing because it offers numerous advantages. This excitement has resulted in programming like “The Great Refactor,” which aims to leverage progress in artificial intelligence (AI) to move from legacy programming languages.
The Role of AI in Code Conversion
With the help of AI tools, code conversion has become faster and easier. Today, translating that code into Rust is a much more productive endeavor. Herbie Bradley, a planner specializing in the field, lauded the potential of these tools. He noted how they are predictably capable of translating programs with less than 1,000 lines in code, needing as little as zero oversight. AI tools now show strong performance on larger programs even with 5000 lines. They need a little more TLC to make sure you get the best results.
“Possibly you’d want to take a little more care in the conversion and maybe use AI to help you, but very carefully,” – Herbie Bradley
Bradley warned that although AI solutions are very optimistic, they are not the silver bullet. “There will never be a silver bullet for AI being 100 percent robust against doing the wrong thing, whether it is by hallucinating or by not understanding the assignment,” he explained. This represents a major and often overlooked consideration for developers and advocates already deep in the trenches of “The Great Refactor.”
The initiative’s success depends on AI tools. These tools need to address a much higher volume of vulnerabilities at once in a more streamlined, widespread process. A position paper suggests that a small team of fewer than 50 security engineers, AI researchers, and administrators could significantly impact key open-source libraries over a timeline of three to five years.
Diverse Approaches Under “The Great Refactor”
Under the umbrella of “The Great Refactor,” six teams have received funding and are exploring various methods for code conversion. These teams use a multitude of tactics. Some go all in with the AI tools, others use conversion methods of the past that involve generative models doing one part of the task.
The richness in approaches is an invitation to experiment. We believe it allows us to marry the rigor of classical computer science with the ductility of contemporary AI approaches. Dan Wallach summarized this objective, stating, “The whole point of TRACTOR is to explore all the different ways you might mix and match, for lack of a better term, classical computer science with modern AI.”
AI has massive promise to make code conversion more straightforward. Figures like Josh Triplett warn that such automated translations may yield code that’s harder for people to maintain. He stated, “If you do AI-translated code, you are likely to end up with code that is difficult for a human to maintain compared to what was manually translated.” This view emphasizes the importance of continued human accountability even as AI technologies advance.
Challenges Ahead
Though there is plenty of optimism about the benefits that “The Great Refactor” may bring, some challenges are already apparent. Jessica Ji pointed out that convincing the U.S. government to provide funding at the envisioned scale could be a significant hurdle. Additionally, she noted a critical issue regarding expertise, stating that there are “a lot fewer Rust experts out there than C/C++ experts,” meaning fewer skilled individuals may be available to oversee the new codebases.
Given these challenges, Ji spoke to the need of upkeep and oversight over any AI-translated Rust code. She stated, “Assuming everything goes well with the AI translation, the resulting Rust code will need to be maintained and monitored somehow.” This transition from legacy code to newer programming languages is no simple feat. As we face this perpetual mandate, we must nevertheless choose between security and performance.