206

To accelerate the transition to memory safe programming languages, the US Defense Advanced Research Projects Agency (DARPA) is driving the development of TRACTOR, a programmatic code conversion vehicle.

The term stands for TRanslating All C TO Rust. It's a DARPA project that aims to develop machine-learning tools that can automate the conversion of legacy C code into Rust.

The reason to do so is memory safety. Memory safety bugs, such buffer overflows, account for the majority of major vulnerabilities in large codebases. And DARPA's hope is that AI models can help with the programming language translation, in order to make software more secure.

"You can go to any of the LLM websites, start chatting with one of the AI chatbots, and all you need to say is 'here's some C code, please translate it to safe idiomatic Rust code,' cut, paste, and something comes out, and it's often very good, but not always," said Dan Wallach, DARPA program manager for TRACTOR, in a statement.

you are viewing a single comment's thread
view the rest of the comments
[-] Anticorp@lemmy.world 16 points 3 months ago

But if they have fully tested and safe C, and they're converting it to Rust using AI, that seems more dangerous, not less.

[-] calcopiritus@lemmy.world 4 points 3 months ago

Just recently a bug was found in openssh that would let you log into the root user of any machine. With extreme skill and luck of course, but it was possible.

OpenSsh is probably one of the most safe C programs out there with the most eyes on it. Since it's the industry standard to remotely log in into any machine.

There is no such thing as fully tested and safe C. You can only hope that you find the bug before the attacker does. Which requires constant mantainance.

The the about rust is that the code can sit there unchanged and "rust". It's not hard to make a program in 2019 that hasn't needed any maintainance since then, and free of memory bugs.

[-] Anticorp@lemmy.world 1 points 3 months ago

Just so you know, that bug was a months long hack, probably by a State actor, not just something they didn't spot before.

[-] calcopiritus@lemmy.world 1 points 3 months ago

It still goes to show that there's no fully tested C code. I'm sure OpenSSH has had the eyes of thousands of security researchers in it. Yet it still has memory-related bugs.

[-] onlinepersona@programming.dev 0 points 3 months ago

There is no fully tested and safe C. There's only C that hasn't had a buffer overflow, free after use, ... yet.

It's hyperbole, but the amount of actually tested C without bugs is few and far between. Most C/C++ code doesn't have unit, nor integration tests, and I have barely seen fuzzing (which seems to be the most prominent out there).

Anti Commercial-AI license

[-] zaphod@sopuli.xyz 2 points 3 months ago

free after use

That would be perfectly safe in any language.

[-] MonkderVierte@lemmy.ml 1 points 3 months ago

Safest C is a Hello World program.

this post was submitted on 04 Aug 2024
206 points (96.4% liked)

Programming

17342 readers
327 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev



founded 1 year ago
MODERATORS