Rust's DO-178C Support for Aerospace Debated
The availability of Ferrocene to support the Rust programming language for DO-178C certification is sparking discussion about its potential in aerospace. An industry observer questioned any remaining bias against Rust for safety-critical systems, given its existing compatibility with the automotive ISO 26262 standard. This reflects a growing interest in memory-safe languages as alternatives to C/C++ in certified avionics.
- Ferrocene is the first and only qualified Rust compiler toolchain for safety-critical applications, and it is being developed by Ferrous Systems in partnership with AdaCore. This collaboration aims to qualify the toolchain under various industry software safety standards, including DO-178C for aerospace. - While traditionally dominated by C and C++, the aerospace industry is exploring memory-safe languages like Rust to reduce common bugs related to memory safety, which can lead to system failures and security vulnerabilities. In large-scale projects like Android, switching to Rust has been shown to decrease memory safety vulnerabilities from 76% to 35% of total vulnerabilities between 2019 and 2022. - The DO-178C standard for avionics software does not mandate a specific programming language but requires the use of a coding standard with unambiguous syntax and clear data control. This has historically favored languages like Ada, C, and C++, with the use of safe subsets. - A significant challenge for using Rust in safety-critical systems has been the lack of a qualified toolchain and a formal language specification. The Ferrocene project addresses this by providing a qualified compiler and has donated its language specification to the Rust Project to serve as a base for the official specification. - The use of C/C++ in avionics often involves significant restrictions to ensure safety, such as banning dynamic memory allocation to prevent fragmentation and unpredictable behavior. Coding standards like MISRA C/C++ and the JSF++ AV standard for the F-35 fighter jet enforce these strict rules. - Ferrocene has already achieved qualification for ISO 26262 (ASIL D) for automotive and IEC 61508 (SIL 3) for industrial systems, with plans to extend this to DO-178C. This existing certification for other safety-critical domains is a key part of the argument for its suitability in aerospace. - The push for memory-safe languages is also supported by government bodies like the NSA, which advises a strategic shift away from languages like C/C++ for critical systems to prevent or mitigate memory-based vulnerabilities. - The process for certifying new languages and toolchains for DO-178C is rigorous, requiring extensive verification and evidence of reliability. For Rust, this includes demonstrating that the compiler behaves predictably and that the language's features, like its concurrency model, are suitable for real-time embedded systems.
