Goodbye C++: AI Will Rewrite Critical Code into Secure Rust

The digital technology world still stands on crutches built in the past century. A huge portion of critical infrastructure — from banking systems to government databases — is written in C and C++. These languages give programmers enormous power over computer memory, but, as we know, great power brings terrible mistakes. About 70 percent of all contemporary software vulnerabilities are linked to improper memory handling. These are the very holes through which hackers have been crawling into protected systems for decades. Previously, we had no way out: rewriting millions of lines of old code by hand was too expensive, too time-consuming, and simply too boring for qualified engineers.

The situation changed with the appearance of Rust. This programming language, launched in 2015, promises the same performance as C++, but with built-in "safety mechanisms" that physically prevent fatal mistakes when working with memory. The problem is that Rust is a complex language, and experts in it are far fewer than enthusiasts of the classics. And here artificial intelligence enters the stage. A new initiative called Great Refactor proposes using neural networks to finally clean up these Augean stables of outdated code. The idea is simple: if people don't want or can't rewrite the internet safely, let the machines do it.

The Institute for Progress launched a project aimed at converting 100 million lines of open code to Rust by 2030. For this they're asking no less than $100 million. The sum seems impressive, but project director Herby Bradley from Cambridge quickly puts everything into perspective. According to his calculations, such investments would help prevent cyberattacks with a total damage of around $2 billion. This is not just savings, it's a matter of survival for a digital ecosystem that is becoming increasingly fragile under the onslaught of automated hacking tools.

Technically, the task no longer looks as fantastical as it did a couple of years ago. Modern LLM models handle the translation of small code chunks up to 1,000 lines quite well with almost no supervision. With some human oversight, neural networks already "process" projects up to 5,000 lines. The main difficulty here is not just getting the code to work. It's important that it be "idiomatic." In programmer's language, this means the code should look as if it was written by a living Rust expert, following all best practices and traditions. If AI produces unreadable mush that's impossible to maintain, then the entire point of refactoring is lost.

The defense agency DARPA has also entered the game with its TRACTOR program. They're exploring a hybrid approach: combining classic static code analysis, honed over decades, with modern generative models. This makes sense, because neural networks are prone to hallucinations, and in matters of critical software security, the price of error is not just a downed website, but a potential collapse of life-support systems. So far, results from initial tests show that AI can be an excellent apprentice, but the role of chief architect remains with humans.

There is also skeptical opinion. Experienced developers fear that mass code migration to Rust will create a shortage of specialists to maintain it. Rust experts are few, and if we suddenly get millions of new lines of code in this language, who will monitor their relevance five years from now?

Moreover, government funding at such scale is an unwieldy thing. Perhaps the private sector will need to take the initiative into its own hands, especially since tech giants like Google and Microsoft have long been converting their key components to Rust on their own. The Great Refactor project, on the other hand, targets the "long tail" of small libraries maintained by a couple of volunteers that nonetheless form the foundation of half the world's software.

Bottom line: Will AI be that "silver bullet" that kills memory vulnerabilities, or will we simply replace old bugs with new ones generated by neural networks?