Master Thesis - Secure Coding in Rust i Göteborg, Sweden

Background

Cyber-attacks are on the rise, and specifically we see an increase in attacks on telecom infrastructure.  Attackers are more competent, have larger resources and use more sophisticated hacker tools which enables more complex exploits. Although efforts are made to write secure code, the use of languages which are inherently unforgiving, e.g., C/C++, makes it difficult to avoid vulnerabilities. Large parts of deployed code are written in such languages, and it is not clear how easy it is to replace that with equivalent code written in safer languages or what security benefits can be achieved.

In this Master Thesis proposal, we investigate challenges and impacts with such replacements. In particular, we explore the use of the type safe programming language Rust to re-implement a module in Ericsson’s code base in order to reduce the risk for introducing vulnerabilities in the code. The language design in Rust prevents from many bugs that are commonly used in exploits, such as buffer overflows, dangling pointers, race conditions, etc. The price to pay for such guarantees is to program with a different style than C/C++, where Rust restricts the usage of resources available to programers. Due to safety and security, Rust forbids programmers from writing circular data structures (often used in C/C++). We will investigate the feasibility of replacing them with others data structures more amenable to Rust's programming model. Rust also provides good performance, in some benchmarks close to the performance of a C/C++ implementation, which is a condition for many use cases at Ericsson. We will compare the performance of the two implementations, and investigate the opportunities to create drop-in replacement modules in Rust. Furthermore, ways to quantify the security gains of the Rust implementation will be explored.

The students will be located at Ericsson in Lindholmen, Gothenburg.

Goals:

▪ Study SOTA in secure coding in terms of programming language, processes, tools, etc and relate to the software development process at Ericsson.

▪ Investigate the effort for a programmer to learn Rust and to re-implement a module in C/C++ using Rust’s safe language design. Also consider the communication with other modules e.g. via C/C++ APIs.

▪ Measure performance of the Rust implementation of the Ericsson module and compare against the original C/C++ implementation. What are the consequences of the performance impact?

▪ Analyze how the potentials for attacks and consequences of attacks are affected. What security properties can be stated about the module implemented in Rust? How can we quantify the security gains of the new implementation?

Prerequisites:

▪ This thesis is done by preferably two students from XXXX or similar education.

▪ The students should have excellent skills in C/C++ programming, a strong system background and good knowledge of software security concepts.

▪ The students should have experience of programming languages with advanced type systems but any previous knowledge of Rust is not required.

▪ The thesis starts in January 2019.

Contact information:

▪ Ulf Damberg, ulf.damberg@ericsson.com

▪ Alejandro Russo, , Chalmers,  russo@chalmers.se

Ericsson provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, sexual orientation, marital status, pregnancy, parental status, national origin, ethnic background, age, disability, political opinion, social status, veteran status, union membership or genetics.

Ericsson complies with applicable country, state and all local laws governing nondiscrimination in employment in every location across the world in which the company has facilities. In addition, Ericsson supports the UN Guiding Principles for Business and Human Rights and the United Nations Global Compact.

This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, training and development.

Ericsson expressly prohibits any form of workplace harassment based on race, color, religion, sex, sexual orientation, marital status, pregnancy, parental status, national origin, ethnic background, age, disability, political opinion, social status, veteran status, union membership or genetic information.

Primary country and city: Sweden (SE) || || Göteborg || Stud&YP

Req ID: 262117