Java vs Rust Cheat Sheet by Security Union

Dimension

Java & JDK

Rust ***

1. Language Goals

1. Memory Safe and Secure

2. Portability (compile once run anywhere via the JVM)

3. Simple, Object Oriented and Familiar (coming from C/C++)

4. Interpreted, Threaded, and Dynamic

Intro to Java

1. Memory Safe and Secure

2. Portability (compile for each platform via LLVM)

3. Expressiveness, Efficiency and performance (replace C / C++).

Rust Book

2. Licensing

OracleJDK (stay away from this) License

OpenJDK (preferred)

License

The Rust Programming Language and all other official projects are dual-licensed:

• Apache License, Version 2.0
• MIT license

3. License Cost for commercial projects

Oracle announced that beginning from Java JDK 17 and onwards Java is free for commercial usage. “If you are running older versions of Java 1-16, you are not affected by the new licensing agreement.”

Announcement

Free

Company donations are appreciated: https://www.rust-lang.org/sponsors

4. Security

4.1 Known vulnerabilities

CVE Oracle JRE

CVE OpenJDK

CVE Rustlang

https://rustsec.org/

4.2 Working groups

The Security Group

Secure Code working group

5. Memory

Management

Garbage collector.

Possible to suffer from memory-related issues such as memory leaks, garbage collection pauses, or poor performance due to poor memory usage patterns.

May require careful tuning and optimization of the program and the garbage collector to achieve good performance.

Mostly automatic, enforced by the borrow checker.

The borrow checker is a static analysis tool that ensures safe and correct use of memory by checking that references to data are valid and that data is not borrowed mutably while it is also borrowed immutably.

Developers still need to think carefully about the lifetime of values.

5.1 Dangling pointers

// Impossible, java will not garbage collect the underlying object until there are no more references.

public static void main(String[] args) throws Exception {
  // Create an ArrayList and store numbers 1,2,3 in it
  var danglingPointer = new ArrayList<Integer>(5);
  danglingPointer.add(1);
  danglingPointer.add(2);
  danglingPointer.add(3);

  var danglingPointerCopy = danglingPointer;
  danglingPointer = null;
  System.out.println(danglingPointerCopy);
}

gradle run

> Task :app:run
[1, 2, 3]

// Impossible, the borrow checker will  keep you in check:

fn main() {
  let dangling_pointer = vec![1, 2, 3];
  drop(dangling_pointer);
  println!("{:?}", dangling_pointer);
}

error[E0382]: borrow of moved value: `dangling_pointer`
--> src/main.rs:5:22
 |
3 |     let dangling_pointer = vec![1, 2, 3];
 |         ---------------- move occurs because `dangling_pointer` has type `Vec<i32>`, which does not implement the `Copy` trait
4 |     drop(dangling_pointer);
 |          ---------------- value moved here
5 |     println!("{:?}", dangling_pointer);
 |                      ^^^^^^^^^^^^^^^^ value borrowed here after move

5.2 Null pointer exceptions

Null pointers are a big problem in Java: Meta Java nullsafe

The language does allow for Null pointers which can result in Exceptions, use

Checker framework to prevent them.

public class App {
  public static void main(String[] args) {
      @NonNull String s = null;
  }
}

gradle run
[...]

error: [assignment] incompatible types in assignment.
       @NonNull String s = null;
                           ^
 found   : null (NullType)
 required: @UnknownInitialization @NonNull String

// Impossible, there's no concept of null pointer in Rust.

fn main() {
  let s: Option<String> = None;

  match s {
      Some(i) => println!("Some: {}", i),
      None => println!("None"),
  }
}

6. Compilation (look at tools for specific tools)

Generates bytecode.

Bytecode is executed by the Java Virtual Machine (JVM), which is mostly a platform-independent execution environment.

Generates native machine code that can be run on the target platform.

Uses LLVM as the compiler backend (just like Swift).

7. Syntax

7.1 Variables mutability

// Mutable by default, unless final is used.
var javaNumber = 3;

// Immutable by default, use mut to make it mutable.
let mut rust_str = "yolo";

7.2 Structure

Code organized into packages.

Classes are templates for objects that define behavior (methods) and state (properties).

Composition is possible via interfaces.

Class inheritance is implemented using extends. 

Code organized into crates (similar to Java packages).

Structs are used mostly to store data (properties). Traits and stand alone functions are used to define behavior.

Composition is preferred and encouraged via traits on structs and enums.

Struct inheritance is not possible, instead, use trait inheritance.

7.3 Generics

public class List<T extends Comparable<T>> {
 // ...
}

struct Vec<T: Ord> {
 // ...
}

7.4 Metaprogramming

Ability to write code that can manipulate other code at runtime:

1. Reflection: allows code to introspect and manipulate classes, interfaces, fields and methods at runtime.
2. Annotations: metadata added with the @ symbol.
3. Java bytecode instrumentation API

Powerful macro system that allows you to define custom syntax and generate code at compile time.

No built-in reflection, but there are 3rd parties like:

https://github.com/dtolnay/reflect

8. Concurrency

8.1 Blocking

8.1.1 Deadlock sample

In both languages, what causes the deadlock is that locks are acquired in a different order.

I recommend using non-blocking concurrency techniques to avoid this.

class Deadlock {
   static Object lock1 = new Object();
   static Object lock2 = new Object();

   public static void main(String[] args) {
       var t1 = new Thread(new Runnable() {
           public void run() {
               synchronized(lock1) {
                   try {
                       Thread.sleep(100);
                   } catch (InterruptedException e) {
                       e.printStackTrace();
                   }
                   synchronized(lock2) {
                       System.out.println("Thread 1");
                   }
               }
           }
       });

       var t2 = new Thread(new Runnable() {
           public void run() {
               synchronized(lock2) {
                   try {
                       Thread.sleep(100);
                   } catch (InterruptedException e) {
                       e.printStackTrace();
                   }
                   synchronized(lock1) {
                       System.out.println("Thread 2");
                   }
               }
           }
       });

       t1.start();
       t2.start();
   }
}

fn main() {
   let lock1 = Arc::new(Mutex::new(1));
   let lock2 = Arc::new(Mutex::new(2));

   let lock1_clone = lock1.clone();
   let lock2_clone = lock2.clone();

   let t1 = thread::spawn(move || {
       let _guard1 = lock1_clone.lock().unwrap();
       println!("Thread 1 acquired lock 1");
       thread::sleep(std::time::Duration::from_secs(1));
       println!("Thread 1 trying to acquire lock 2");
       let _guard2 = lock2_clone.lock().unwrap();
       println!("Thread 1 acquired lock 2");
   });

   let t2 = thread::spawn(move || {
       let _guard2 = lock2.lock().unwrap();
       println!("Thread 2 acquired lock 2");
       thread::sleep(std::time::Duration::from_secs(1));
       println!("Thread 2 trying to acquire lock 1");
       let _guard1 = lock1.lock().unwrap();
       println!("Thread 2 acquired lock 1");
   });

   t1.join().unwrap();
   t2.join().unwrap();
}

8.2 Non blocking

8.2.1 Parallel collections

Streams API Streams API

Rayon: Rayon

8.2.2 Atomic objects

The specifications of these methods enable implementations to employ efficient machine-level atomic instructions that are available on contemporary processors. However on some platforms, support may entail some form of internal locking. Thus the methods are not strictly guaranteed to be non-blocking -- a thread may block transiently before performing the operation

Atomic Package Summary

All atomic types in this module are guaranteed to be lock-free if they’re available. This means they don’t internally acquire a global mutex. Atomic types and operations are not guaranteed to be wait-free.

atomic

8.2.3 MPSC:

Multi-producer single consumer

I did not find a specialized class to do this but you can use MPMC.

Channels

fn main() {
  let (tx, rx) = mpsc::channel();

  // Start a new thread that will send a string
  thread::spawn(move || {
      let msg = "hello from a new thread!".to_string();
      tx.send(msg).unwrap();
  });

  // Wait for the message in the main thread
  let received = rx.recv().unwrap();
  println!("Received: {}", received);
}

8.2.4 MPMC: Multi-producer multi-consumer

ConcurrentLinkedQueue 

public static void main(String[] args) throws InterruptedException {
      // Create a concurrent linked queue to hold the messages
      ConcurrentLinkedQueue<Integer> queue = new ConcurrentLinkedQueue<>();

      // Create and start 5 producer threads
      for (int i = 0; i < 5; i++) {
          final var acc = i;
          new Thread(() -> {
                  // Add a message to the queue
                  queue.add(acc *2);
          }).start();
      }

      // Create and start 5 consumer threads
      var handles = new ArrayList<Thread>();
      for (int i = 0; i < 5; i++) {
          var thread = new Thread(() -> {
              // Try to retrieve a message from the queue
              while (true) {
                  Integer message = queue.poll();
                  if (message != null) {
                      System.out.println("received value: " + message);
                      return;
                  }
              }
          });
          thread.start();
          handles.add(thread);
      }
      // iterate over all threads and wait for them to finish
      for (var handle : handles) {
          handle.join();
      }
  }

Crossbeam Channel

fn main() {
  // Create an unbounded MPMC channel.
  let (sender, receiver) = unbounded();

  // Spawn a few producers.
  for i in 0..5 {
      let sender = sender.clone();
      thread::spawn(move || {
          let _ = sender.send(i * 2);
      });
  }

  // Spawn a few consumers.
  let mut handles = Vec::new();
  for _ in 0..5 {
      let receiver = receiver.clone();
      handles.push(thread::spawn(move || {
          let val = receiver.recv().unwrap();
          println!("received value: {}", val);
      }));
  }
  // Wait for all threads to finish.
  for handle in handles {
      handle.join().unwrap();
  }

}

8.2.5 Actor model

Akka https://akka.io/

Akka is no longer free for commercial use: License Faq

why-we-are-changing-the-license

Actix https://github.com/actix/actix

MIT License: LICENSE-MIT

8.2.6 async/await

NONE

Tokio, async-std, actix

9. Tooling *

9.1 Compiler

javac

rustc (backend: llvm)

9.2 Toolchain manager

sdkman  https://sdkman.io/

cargo cargo installation

9.3 Dependency Manager

Gradle, Maven (old)

cargo

9.4 Security and license audit.

Dependency-check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

Maybe blackduck?

Cargo-audit: Audit your dependencies for crates with security vulnerabilities reported to the RustSec Advisory Database.

Cargo-deny: cargo plugin that lets you lint your project's dependency graph to ensure all your dependencies conform to your expectations and requirements. (license, vuls)

10. Resources needed to run a web server hello world (dev mode) **

This metric is useful to me to understand the resources needed to run an app with no load.

Spring Boot 3.0.0
2 processes:

Process    P1     | P2    | Total
MEM:       134MB  | 80 MB | 214 MB
CPU:        1.28  | 1.40  | 2.68

Actix-web 4.0
1 process:
MEM: 7 MB
CPU: 0.37