Microsoft has released code on Github that enables developers to write Windows drivers in Rust, a key step toward enabling memory-safe programming for the operating system. Azure CTO Mark Russinovich posted the link on X with the comment: "Working hard to develop Windows drivers in Rust."
This work goes back many years. In July 2019, Microsoft Research posted that it wanted to "eliminate an entire class of vulnerabilities before they occur," made the case for a memory-safe language, and said that "one of the most promising newer systems programming languages that meets these requirements is the Rust programming language originally invented by Mozilla."
The company promotes Rust not only for its memory safety, but also for its data race safety - ensuring that "two or more threads cannot access a stretch of memory asynchronously."
In 2022, Russinovich announced: "It is time to stop starting any new projects in C/C++ and use Rust when you need to use a non-GC language. For the sake of safety and reliability, the industry should declare these languages obsolete." GC or garbage-collected languages such as C# and Java are suitable for commercial applications, but not for the underlying system code.
Although Windows is mainly written in C and C++. "Due to various technical and historical reasons, most user-mode code is now written in C++, but most of the kernel code is still written in C language." In 2018, Raymond Chen, a Microsoft software engineer who has been engaged in software development for a long time, said that although Windows 11 has appeared since then, the operating system has not been rewritten when developing new versions. The Windows driver toolkit used by hardware manufacturers to make their devices run in Windows is still a C/C++ toolkit.
According to the release notes for the new Rust-based driver toolkit, it aims to support both WDM (Windows Driver Model) and WDF (Windows Driver Framework) drivers. WDM drivers are lower level and tightly tied to the operating system, while WDF drivers interact with the system through framework libraries. The initial repository focuses on the WDK.
The description adds: "The project is still in the early stages of development and is not yet recommended for commercial use. Microsoft encourages experimentation and feedback, noting that developers can seek feedback in the GitHub discussion forum in the repository."
An early question is how to handle exceptions. One developer said: "Structured exception handling is an integral part of Windows development for the Windows kernel (and the operating system as a whole), and is a real obstacle to making Rust a reality for Windows kernel development. Rust has no exceptions, it prefers to use result variables to report recoverable errors, and on unrecoverable errors it exits with a crash failure. In kernel code, such a crash is undesirable because it will cause the system to crash as a whole."
Developer Johnny Shaw quotes LinuxTorvalds in the Linux kernel (which also uses Rust): "Because kernel code is different from random userspace system tools. Memory exhaustion must not cause an abort. It only needs to cause an error return." Torvalds sees this as a "fundamental problem."
Early code in Microsoft's new repository includes the following comments:
//FIXME:ShouldthistriggerBugcheckviaKeBugCheckEx?
This problem shows that introducing Rust into the underlying Windows code is not as simple as adding Rust language bindings to WDKAPI. However, the initial response has been generally positive. Memory safety issues account for a large proportion of Windows' security and stability issues, so adopting Rust is a viable solution.