US military turns to AI to automatically transpile risky software
The US Department of Defense's research arm, DARPA, is launching a new program called TRACTOR (Translating All C to Rust). The goal? Develop AI-powered tools capable of automatically converting legacy C code into the safer alternative, Rust. This initiative primarily aims to enhance memory safety, as memory safety bugs such as buffer overflows are a significant source of major vulnerabilities in large codebases.
C is vulnerable to memory safety issues
C, while powerful, is notorious for its vulnerability to memory safety issues. This vulnerability opens the door for hackers to exploit software flaws, leading to security breaches. Rust, on the other hand, is designed with memory safety in mind, making it less susceptible to these attacks. DARPA hopes that by automating the translation process, they can drastically improve the security of critical software systems. Large language models (LLMs) and other machine learning techniques are being considered to achieve this goal.
Tech giants advocate for memory safe programming languages
In recent years, tech giants like Google and Microsoft have underscored the problems caused by memory safety bugs. They have advocated for programming languages other than C and C++ that don't necessitate manual memory management. This advocacy has resonated with the public sector, which houses a significant amount of legacy code. As a result, entities such as the White House and the US Cybersecurity and Infrastructure Security Agency (CISA) are promoting memory safe programming languages like Rust.
DARPA stands firm on need for more secure software
Despite opposition from those involved with C and C++ oversight, who argue that diligent application of ISO standards and testing tools can achieve comparable results without resorting to Rust, DARPA remains steadfast. The agency maintains that relying solely on bug-finding tools is insufficient. After more than 20 years of grappling with memory safety issues in C and C++, there is a consensus within the software engineering community about the need for more secure software.
TRACTOR's role in enhancing memory safety
DARPA's program manager for TRACTOR, Dan Wallach, explained the process of using the tool. Users can visit any of the LLM websites and interact with an AI chatbot to request a code translation. Wallach stated, "here's some C code, please translate it to safe idiomatic Rust code," indicating that users simply need to paste their C code and wait for the translated Rust output. The challenge lies in improving this automated translation process from C to Rust.
Rust's popularity spurs security initiatives
Rust, first released stably in 2015, has built-in memory safety and is suitable for low-level, performance-sensitive systems programming. Its characteristics and popularity have spurred initiatives like Prossimo, a non-profit Internet Research Group's project to rewrite critical libraries and code in Rust to mitigate security risks. Josh Aas, executive director of the Prossimo project, noted that the large amount of C code running in today's internet infrastructure makes translation tools attractive.
Industry experts acknowledge challenges in automatic code conversion
Despite the attractiveness of translation tools, Aas also pointed out that current tools still require substantial manual work to produce correct and idiomatic results. Peter Morales, CEO of Code Metal, a company focusing on transpiling code for edge hardware, called the DARPA project promising and timely. However, Morales acknowledged the complexity of automatic code conversion, describing it as a "DARPA-hard problem" due to the numerous edge cases that arise when formulating rules for converting statements in different languages.
