To accelerate the transition to memory safe programming languages, the US Defense Advanced Research Projects Agency (DARPA) is driving the development of TRACTOR, a programmatic code conversion vehicle.
The term stands for TRanslating All C TO Rust. It's a DARPA project that aims to develop machine-learning tools that can automate the conversion of legacy C code into Rust.
The reason to do so is memory safety. Memory safety bugs, such buffer overflows, account for the majority of major vulnerabilities in large codebases. And DARPA's hope is that AI models can help with the programming language translation, in order to make software more secure.
"You can go to any of the LLM websites, start chatting with one of the AI chatbots, and all you need to say is 'here's some C code, please translate it to safe idiomatic Rust code,' cut, paste, and something comes out, and it's often very good, but not always," said Dan Wallach, DARPA program manager for TRACTOR, in a statement.
"You can go to any of the LLM websites, start chatting with one of the AI chatbots, and all you need to say is 'here's some C code, please translate it to safe idiomatic Rust code,' cut, paste, and something comes out, and it's often very good, but not always," said Dan Wallach, DARPA program manager for TRACTOR, in a statement.
"This parlor trick impressed me. I'm sure it can scale to solve difficult real world problems."
It's a promising approach worth trying, but
I won't be holding my breath.
If DARPA really wanted safer languages, they could be pushing test coverage, not blindly converting stable well tested C code into untested Rust code.
This, like most AI speculation, reeks of looking for shortcuts instead of doing the boring job at hand.
As to the possibility of automatic code conversion, Morales said, "It's definitely a DARPA-hard problem." The number of edge cases that come up when trying to formulate rules for converting statements in different languages is daunting, he said.
A: "We really need this super-important and highly-technical job done."
B: "We could just hire a bunch of highly-technical people to do it."
A: "No, we would have to hire people and that would cost us millions."
B: "We could spend billions on untested technology and hope for the best."
A: "Excellent work B! Charge the government $100M for our excellent idea."
Key detail in the actual memo is that they're not using just an LLM.
"Wallach anticipates proposals that include novel combinations of software analysis, such as static and dynamic analysis, and large language models."
They also are clearly aware of scope limitations. They explicitly call out some software, like entire kernels or pointer arithmetic heavy code, as being out of scope. They also seem to not anticipate 100% automation.
So with context, they seem open to any solutions to "how can we convert legacy C to Rust." Obviously LLMs and machine learning are attractive avenues of investigation, current models are demonstrably able to write some valid Rust and transliterate some code. I use them, they work more often than not for simpler tasks.
TL;DR: they want to accelerate converting C to Rust. LLMs and machine learning are some techniques they're investigating as components.
This is an interesting application of so-called AI, where the result is actually desirable and isn't some sort of frivolity or grift. The memory-safety guarantees offered by native Rust code would be a very welcome improvement over C code that guarantees very little. So a translation of legacy code into Rust would either attain memory safety, or wouldn't compile. If AI somehow (very unlikely) manages to produce valid Rust that ends up being memory-unsafe, then it's still an advancement as the compiler folks would have a new scenario to solve for.
Lots of current uses of AI have focused on what the output could enable, but here, I think it's worth appreciating that in this application, we don't need the AI to always complete every translation. After all, some C code will be so hardware-specific that it becomes unwieldy to rewrite in Rust, without also doing a larger refactor. DARPA readily admits that their goal is simply to improve the translation accuracy, rather than achieve perfection. Ideally, this means the result of their research is an AI which knows its own limits and just declines to proceed.
Assuming that the resulting Rust is: 1) native code, and 2) idiomatic, so humans can still understand and maintain it, this is a project worth pursuing. Meanwhile, I have no doubt grifters will also try to hitch their trailer on DARPA's wagon, with insane suggestions that proprietary AI can somehow replace whole teams of Rust engineers, or some such nonsense.
Edit: is my disdain for current commercial applications of AI too obvious? Is my desire for less commercialization and more research-based LLM development too subtle? :)
The problem I see here is that AI may write code that does compile, but has a bunch of logical errors, edge cases or bad architecture. From personal experience, even though AI can write small amounts of good code, it's bad at understanding big and complex solutions.
At that point, fixing the AI codebase might take longer than just starting with a competent Rust dev.
This is a timely reminder and informative for people who aren't aware that LLMs don't actually understand anything. At all.
That doesn't mean they're useless, but yes, if you want an LLM to handle complex input and use it to generate complex output correctly... You may need to reevaluate your choice of tooling or your process.
It's unclear that AI is the right tool at all. It's certainly possible to use some automated conversion libraries, and then have human programmers fill in the gaps.
frustration noises It knows nothing! It's not intelligent. It doesn't understand anything. Attempts to keep those things acting within expected/desired lines fail constantly, and not always due to malice. This project's concept reeks of laziness and trend-following. Instead of a futile effort to make a text generator reliably produce either an error or correct code, they should perhaps put that effort into writing a transpiler built on knowable, understandable rules. ... Oh, and just hire a damn Rust dev. They're climbing up the walls looking to Rust-ify everything, just let them do it.
It'd be nice if they open source this like they did with ghidra. The video game reverse engineering and modernization efforts have been much easier thanks to the government open sourcing their tools
Baby steps. It's easier to convert code marked unsafe in Rust to not need unsafe than it is convert arbitrary code in other languages to Rust code that doesn't need unsafe.
Ideally you don't directly ship the code it outputs, you use it instead of re-writing it from scratch and then slowly clean it up.
Like Mozilla used it for the initial port of qcms (the colour management library they wrote for Firefox), then slowly edited the code to be idiomatic rust code. Compare that to something like librsvg that did a function by function port
There is a ton of literature out there, but in a few words:
Rust is built from the ground up with the intention of being safe, and fast. There are a bunch of things you can do when programming that are technically fine but often cause errors. Rust builds on decades of understanding of best practices and forces the developer to follow them. It can be frustrating at first but being forced to use best practices is actually a huge boon to the whole community.
C is a language that lets the developer do whatever the heck they want as long as it's technically possible. "Dereferencing pointer 0?" No problem boss. C is fast but there are many many pitfalls and mildly incorrect code can cause significant problems, buffer overflows for example can open your system to bad actors sending information packets to the program and cause your computer to do whatever the bad actor wants. You can technically write code with that problem in both c and rust, but rust has guardrails that keep you out of trouble.
C: Older systems developing language, pretty much industry standard to the point the C-style syntax is often a feature of other languages. Its biggest issues include a massive lack of syntax sugar, such as having to do structTypeFunction(structInstance) rather than structInstance.function() as standard in more modern languages, use of header files and a precompiler (originally invented to get around memory limitations and still liked by hard-core C fans, otherwise disliked by everyone else), and lack of built-in memory safety features, which is especially infamous with its null-terminated strings, often being part of many attack vectors and bugs.
Rust: Newer memory-safe language with functional programming features, most notably const by default, and while it does use curly braces for scopes (code blocks), the general syntax is a bit alien to the C-style of languages. Due to its heavy memory safety features, which also includes a borrow checker, not to mention the functional programming aspects, it's not a drop in replacement language for C to the point you pretty much have too reimplement the algorithms in functional style.
In C you can do almost anything, including things that will fry the system. In Rust, it's a lot harder to do that. (This makes sense if you consider when the languages were made and what were made for. It's not an attack on or praise for either language.)
Looking at your instance handle, I hope/assume that your comment is supposed to be in lighthearted jest. However that would only be an assumption on my part and in general it's not ok to say someone's job/work tool is for [remarks directed at sex, gender, ethnicity, orientation, disabilities, etc...] per CoC 3.5.
Please take into consideration that members on this instance may be of different backgrounds than what you're used to and interpets what you say differently. Further breaches of our Code of Conduct may lead to temporary or permament ban.