In the next decade, America’s cybersecurity will become incomprehensibly dependent on the market’s ability to supply thigh high socks and cat ear headbands as DARPA, the U.S. military’s Defense Advanced Research Projects Agency has announced TRACTOR, an initiative to automate the transition of systems written in “legacy” C code to Rust.
“The TRACTOR program aims to achieve a high degree of automation towards translating legacy C to Rust, with the same quality and style that a skilled Rust developer would employ, thereby permanently eliminating the entire class of memory safety security vulnerabilities present in C programs,” according to Dr. Dan Wallach, a program manager at DARPA’s Innovation and Information Office (I2O). “Performers might employ novel combinations of software analysis (e.g., static analysis and dynamic analysis), and machine learning techniques (e.g., large language models).”
According to a report (PDF download) released by DARPA’s I2O, the TRACTOR program is looking for proposals due to C and C++’s lack of safety around array bound checks and pointer arithmetic. Typical manual memory management security issues. The report even references Google and Microsofts’ claims that 70% of security bugs in Chrome and Microsoft products can be attributed to memory safety issues.
It makes sense. Manual memory management is a cognitive burden in languages like C and in older versions of C++. By not catching these memory issues, malicious actors can exploit these issues for, amongst other exploits, remote code execution and elevation of privilege attacks.
If you’re interested in working on TRACTOR, you’re in luck. The agency is holding a Hybrid Proposers Day on August, 26th in Arlington Virginia. You’ll just need to register online.
“We’re so Back,” say Manual Memory Management Chads
C3 is a new system’s programming language written by Christoffer Lerno and contributors pitching itself as “an evolution, not a revolution”. Targeting developers who like C, this LLVM wrapper offers full C ABI compatibility, a module system, pointer + length slices, reflection, and cross compilation support while saying au revoir to some of C’s more dated features.
C3 continues the trend of new languages being built with manual memory management in our post-Rust world simply for the fact that people like writing C and C++. I count myself amongst these fools, so what is writing C3 like?
First, C3 is a young language (v0.6.1). Things are bound to break, change, and be removed. You shouldn’t use it for any important production projects unless you can live with the chaos of prerelease software. That being said, I think C3 is promising. The amount of code Lerno and contributors have written, plus the fact that an actively developed language server and VS Code extension exist for the language already fills my heart with hope. There’s a community behind this project, great documentation (Zig could learn a thing or two), and Lerno is more than responsive. When I first discovered this language I noticed some small typos in the documentation website. Not only Did Lerno spot and respond to my PRs instantly (I accidentally sent it to the old documentation repo), he merged it within minutes.
To speak in Tech Twitter/X parlance, C3 has vibes.
Only time will tell if C3 becomes a successful language, but I’ll be keeping my eye on it in the meantime.
I’m hopeful more new low level languages that manually manage memory come to the popular sphere in the next few years. On its own, manual memory management is not a bad development paradigm. With proper tooling, smart pointers, and respect for the craft incredible optimizations can be made with manual memory management.