Curl is one of the most widely used network transfer utilities worldwide, found in desktop operating systems, servers, embedded devices, and even connected vehicles and appliances. Its primary function—transferring data over the network—makes its security critical, as any vulnerability could compromise millions of systems globally.
A memory safety challenge in critical software
For years, curl has been developed in C, a fast language but prone to security vulnerabilities, especially those related to memory management. To address this challenge, the Internet Security Research Group (ISRG) and the Prossimo project identified curl as a strategic candidate to experiment with integrating libraries written in Rust, a language that guarantees memory safety and drastically reduces the risk of critical errors.
Collaboration to modernize curl’s core
ISRG contacted Daniel Stenberg, creator and lead maintainer of curl, to explore how to better protect the software’s key components, particularly the processing of HTTP and TLS protocols. The premise: if there are Rust libraries that offer C-compatible interfaces, C and C++ projects can benefit from Rust’s safety without needing to migrate all their code or have their developers learn the new language.
A plan was devised for curl to be compiled with memory-safe alternatives for both HTTP and TLS. For HTTP handling, the Hyper library was chosen; for secure connections, Rustls.
Results and current status
Through direct contracts, Daniel Stenberg handled the integration of Hyper, while ISRG engineer Jacob Hoffman-Andrew integrated Rustls for TLS handling in curl. After completing the work and gathering valuable lessons about Rust-C interoperability, curl users can now compile the tool using Rustls for secure connections, providing an additional layer of protection against memory vulnerabilities.
It is important to note that Hyper integration has reached end of life and is no longer available in recent versions, although support for Rustls remains current and is still evolving.
Lessons for Internet security
The curl case highlights the significant challenges and opportunities in introducing memory safety into critical digital ecosystem projects. Although a complete transition from C to Rust can be complex and requires consensus within open source communities, initiatives like the integration of Rustls show that meaningful progress can be made toward a more robust and attack-resistant infrastructure.
The experience gained will serve as a model for future projects aiming to modernize vital components of the Internet without sacrificing compatibility or performance.
Conclusion:
Curl takes an important step forward in security by offering the option to be compiled with Rustls for TLS, providing memory safety to one of the pillars of network software. While there is still a long way to go, this collaboration demonstrates that it is possible to strengthen Internet security through the gradual integration of modern, safe technologies.
Source: Memory safety
