Bringing Rust to Safety-Critical Systems in Space

TL;DR

This paper advocates for adopting Rust in safety-critical space systems, providing practical guidelines, a rewriting procedure from C, vulnerability fixes, and a new compiler target to enhance safety and applicability in aerospace projects.

Contribution

It offers a comprehensive overview of Rust's potential in safety-critical aerospace systems, a pragmatic rewriting procedure from C, vulnerability discoveries, and a new compiler target for space hardware.

Findings

Identified and fixed three vulnerabilities in satellite communication protocols.

Developed a procedure for partially rewriting C systems in Rust.

Introduced a Rust compiler target for bare metal PowerPC.

Abstract

The development of safety-critical aerospace systems is traditionally dominated by the C language. Its language characteristics make it trivial to accidentally introduce memory safety issues resulting in undefined behavior or security vulnerabilities. The Rust language aims to drastically reduce the chance of introducing bugs and consequently produces overall more secure and safer code. However, due to its relatively short lifespan, industry adaption in safety-critical environments is still lacking. This work provides a set of recommendations for the development of safety-critical space systems in Rust. Our recommendations are based on insights from our multi-fold contributions towards safer and more secure aerospace systems: We provide a comprehensive overview of ongoing efforts to adapt Rust for safety-critical system programming, highlighting its potential to enhance system robustness. Next, we introduce a procedure for partially rewriting C-based systems in Rust, offering a pragmatic pathway to improving safety without necessitating a full system overhaul. During the execution of our rewriting case study, we identify and fix three previously undiscovered vulnerabilities in a popular open-source satellite communication protocol. Finally, we introduce a new Rust compiler target configuration for bare metal PowerPC. With this, we aim to broaden Rust's applicability in space-oriented projects, as the architecture is commonly encountered in the domain, e.g., in the James Webb Space Telescope.