Code Wars: Rust vs. C in the Battle for Billion-Device Safety
A recent experiment by a Dutch Rust engineering consultancy, Tweede golf, demonstrates exactly why Rust is rapidly gaining adoption in safety-critical applications.
Software vulnerabilities can affect billions of devices, from ultrasound machines to critical avionics systems, so the programming languages we choose matter more than ever.
“Rust offers three core advantages: inherent memory safety (with clear markers when using unsafe code), strict compile-time checks that catch bugs early and first-class test ergonomics that promote high code coverage,” David Mytton, CEO of Arcjet, a developer-first security platform provider, told The New Stack.
The 3-Billion Device Problem
In 2021, security researchers discovered a critical vulnerability in Siemens’ Nucleus real-time operating system: software running on more than 3 billion devices worldwide. The vulnerability, part of a collection dubbed “NAME:WRECK,” allowed attackers to craft malicious DNS responses that could lead to device crashes or even complete takeovers.
“But, it is possible to craft phoney ‘DNS responses’ containing intentional ‘mistakes’. Malicious hackers could use this to trick Nucleus into writing to memory locations that it really shouldn’t,” wrote Marc Schoolderman, a systems software engineer at Tweede golf, in a blog post.
The potential impact was enormous — imagine hackers remotely compromising ultrasound machines, storage systems or avionics equipment through a simple networking vulnerability.
The Experiment: C vs. Rust in Real-World Security
To test whether Rust could have prevented this vulnerability, Tweede golf designed an experiment. They gave four engineers (two staff members and two interns) a brief description of the DNS message encoding protocol (RFC1035) and asked them to implement a solution in Rust within just three to four hours.
The engineers had no prior knowledge that they were recreating code with known vulnerabilities. Their Rust implementations were then tested against the same problematic inputs that crashed the original C implementation.
The Results: Safer by Design
The results were striking. While the original C code failed on multiple test cases (with 7 out of 12 tests resulting in exploitable conditions), none of the Rust implementations contained arbitrary code execution vulnerabilities.
“Nobody felt the need to use unsafe Rust,” wrote Schoolderman, referring to Rust’s escape hatch that allows programmers to bypass safety checks when necessary.
All the Rust solutions were “panic safe,” meaning they would result in recoverable errors rather than system crashes when fed malicious input. And despite the time constraints, all engineers wrote thorough test suites, including fuzz tests that automatically generate problematic inputs.
Developers Weigh In
“I think this experiment is a great example of the value that memory-safe programming languages bring,” Alex Gaynor, an open source maintainer working on Python and Rust projects, told The New Stack. “Decoding DNS messages is not the sort of thing that should be able to have critical security vulnerabilities that put systems at risk, but unfortunately with memory-unsafe languages, that’s the status quo.”
Moreover, “this simple research shows yet another example that making languages memory safe by default goes a long way to building overall safer systems,” he added.
Josh Aas, co-founder and executive director of the Internet Security Research Group (ISRG), said he thinks it’s great that Tweede golf took the time to dig in and validate the claim in an interesting way. “People shouldn’t have to take claims about Rust’s safety at face value, and this is another strong piece of evidence,” he told The New Stack.
For instance, “ISRG’s Prossimo project has been investing in memory-safe DNS in order to avoid precisely the kind of problem described. Hickory DNS is a high-performance recursive DNS resolver written in Rust, and we hope to deploy it in our Let’s Encrypt certificate authority over the next year,” Aas said.
While the Tweede golf experiment is a smaller effort than the Google findings they link to, it provides another piece of evidence that Rust does have the security impact one would hope for, Per Larsen, CEO of Immunant, a systems software consultancy, told The New Stack.
“The folks at Tweede golf are doing a great job moving software from C to Rust,” he said. “We have a great working relationship with them and have a positive impression from our interactions with them. They are regularly contributing to our c2rust migration tools, so that’s a huge plus in my book.”
Meanwhile, “I think it’s a brilliant post, it buttresses the point of safety Rust has over C/C++ even with real-life scenarios,” Joshua Aminu, a senior Rust developer working as a contractor in Lagos, Nigeria, told The New Stack.
Development Speed Advantage
Perhaps the most surprising result was the development time advantage. According to Tweede golf, implementing a truly secure C version of the same functionality “took at least three times the amount of time” compared to the Rust implementations, even when armed with foreknowledge of the vulnerabilities.
“At Tweede golf, we don’t just use Rust because it prevents us from making mistakes — we’re also using it because it enables us to write safer software, and being quick at the same time,” Schoolderman explained.
Why Rust Succeeds Where C Struggles
The original vulnerability stemmed from classic C programming issues: unchecked memory access, lack of bounds checking and implicit trust of external inputs. A brief look at the vulnerable C code reveals several critical issues:
- Unchecked memory offsets that allowed attackers to read or write arbitrary memory locations
- Implicit trust of input data without validation
- Potential infinite loops caused by circular references
- No checks to ensure output buffers wouldn’t overflow
In contrast, Rust’s design philosophy prevents these issues by default:
- Memory safety guarantees: Rust’s ownership system makes buffer overflows and use-after-free vulnerabilities nearly impossible without explicitly choosing to bypass safety checks.
- Expressive type system: Rust’s robust type system encourages clear data validation and explicit error handling.
- Testing culture: The Rust ecosystem strongly emphasizes testing, including property-based and fuzz testing, which finds edge cases that humans might miss.
Beyond Academic Examples
This wasn’t merely an academic exercise. Similar DNS-related vulnerabilities were found in four other networking libraries, collectively called NAME:WRECK. The experiment adds empirical weight to what Google, Microsoft and other tech giants have been saying: memory safety issues account for a large percentage of security vulnerabilities, and languages like Rust significantly reduce these risks.
The Future of Systems Programming
As embedded systems, Internet of Things (IoT) devices and critical infrastructure become increasingly connected, the costs of security vulnerabilities grow exponentially. Tweede golf’s experiment provides compelling evidence that modern memory-safe languages like Rust offer a path forward — not just by preventing certain classes of bugs, but by enabling faster development of more reliable, secure systems.
The message is clear: when it comes to software operating critical systems that affect millions or billions of people, the programming language choice is no longer just about developer preference — it’s about fundamental security and safety.
“For system-level networking code, Rust is likely the best tool available today — its benefits over C are overwhelming, and I can’t see a reason to choose C for those problems today,” Mytton said.
Nitpicking?
“While I’m sure one can pick nits with the research methodology (e.g., small sample size, programmers are more diligent in tests than in real life), I think what we see here really reproduces what we see in large-scale industrial settings like [Google’s], and that should give us confidence that these results really reflect the kind of benefits organizations can get from writing code in memory-safe languages,” Gaynor said.
Moreover, claiming universal “time and money” savings needs a qualifier, Mytton said.
“Yes, that’s probably true when compared to C and when solving system-level problems,” he said. “But against other safe languages like Python or Go? The cost-benefit analysis is much more complex. It’s difficult to find experienced Rust developers with production experience, and as you go up the stack, Python or Go are much faster to iterate with.”
