Why I'm Learning Rust
Why I'm Learning Rust For Security Work In 2023
Published: March 21, 2023
Reading Time: 5 minutes
Graham, Why are you learning rust?
I have recently began my journey into learning rust. I’ve gotten a lot of questions about why I decided to learn rust instead of $compiled_language
and I wanted to discuss them. The goal of this short post is not to convince you to follow in my footsteps, but to help you understand my reasoning as it might be able to help inform your opinion for what language is right for you.
Bash -> Python -> Rust
I feel as though I have gotten to a point in my career where only being able to write scripts in python or bash (or, god forbid, powershell) is hindering my ability to create cool things. I’ve known this would be the case for a while, but I decided to stick to scripting languages until I could build up some level of competence with them. I feel as though I have gotten to that point. Am I an expert at python and/or bash? No, but I am able to figure things out in a reasonable amount of time and create useful software. This signaled to me that that it is time to move on to something more scary advanced.
Go? C? Rust?
So many choices. I spent a lot of time pondering which compiled language to learn. My top three choices were Rust, Go, and C.
I will admit, initially, I was set on learning C. The majority of people I talked to told me that learning C was my best bet for a few reasons.
- C is ubiquitous and will probably always be around (at least in my lifetime) so learning it is a good skill to have.
- C is the core of many vulnerabilities. Understanding C will give me a better understanding of how many vulnerabilities occur. Having this knowledge is obviously helpful when trying to exploit these vulnerabilities.
- C is fast (and furious) and can help you write more complex tools that require fine grain control, especially in relation to something like python.
Those initial reasons make a strong case for learning C, but I realized shortly after learning the basics that they missed the reason why I wanted to learn a compiled language in the first place: I wanted to write tools.
I should note that choosing to disengage from C and move into something different is a risk. Somewhat ironically, C is a safe language to learn. There will always be some level of usefulness associated with learning C.
Re-evaluating
After realizing this I stepped back for a bit and re-evaluated. At this point I had learned enough C to understand some of it’s security issues writing code in C presents. At the end of the day, I decided that this knowledge of the common pitfalls (Looking at you strcpy
…) is sufficient for most non specialized security positions. Would I be able to write complex implants using C? No, but that was never the goal.
That just left me with the choice of learning Go or Rust. After a few weeks of pondering where I wanted to go next, I saw this tweet from Mark Russinovich which was probably the tipping point that influenced my decision to re-evaluate which language I would spend my time in. Eventually, I decided I was going to bite the bullet and go for the one that is typically known to be more difficult.
I don’t really have a good reason of choosing one over the other besides the fact that a lot of smart people seem to like rust, despite it’s learning curve, which is usually a good indicator that something is worth your time. It’s also worth mentioning that if you can learn something that has a steep learning curve, it is typically exponentially easier to go back and learn something that is “easier”. (This is the same reason I recommend people learn Vim before they use nano.) To me, rust seemed more daunting than Go. I’ve learned that learning the harder skill usually pays off in the long run. Finally, people LOVE rust. If I was going to dedicate my time to learning something I wanted it to be something that I could also get excited about.
The plan
I’m approaching learning rust as a calculated risk. Rust is a fairly new language with a lot of hype behind it right now but it is entirely possible that it could lose steam. I don’t know enough about software engineering to foresee the future of what programming languages could be coveted in the future.
My plan for learning rust is fairly simple. After going through the basics of rust in the rust book, I’m just going to struggle my way through writing small tools. This may not be the best way to learn, but it is what helped me learn bash and python reasonably well. I wish it were fancier than that but sometimes the free option that is more time consuming is way better than any training or class. I guess we will have to wait and see how it turns out. Perhaps I will make a followup to this post one day in the future. If you would like to follow my progress, check out my Git. I’m not going to promise that I will post every small program I mess around with, but hopefully I will get some small projects up soon.