Zardus tests AI-powered C to Rust conversions to cut memory corruption

Yan Shoshitaishvili, better known as Zardus, has been using AI coding agents to convert memory-unsafe C libraries into Rust, turning a flashy experiment into a very practical security question: can agents speed up the cleanup of legacy code that still leaks memory corruption bugs?

Shoshitaishvili is an associate professor at Arizona State University and the founder of angr and pwncollege, which gives the work immediate weight in the security community. He has shared apt and Docker repositories with Rust-converted libraries so the ports can be tested directly, and his ctf-tools repository includes Dockerfiles and setup scripts that make the security tooling easier to reproduce. That matters because the value of these conversions is not just in the language switch, but in whether other researchers can run the same code, inspect the results, and compare the behavior of the original C and the Rust rewrite.

The timing lines up with a broader push to move software away from memory-unsafe languages. CISA has said memory safety vulnerabilities have been known for more than half a century and has urged software manufacturers to prioritize memory-safe programming languages. The NSA has said Microsoft and Google have each stated that memory-safety issues account for around 70% of their vulnerabilities. Google said in October 2024 that about 70% of severe vulnerabilities in memory-unsafe codebases are caused by memory-safety bugs, and Chromium says around 70% of its serious security bugs are memory-safety problems, with about half of those tied to use-after-free flaws.

Rust, first released in 2015, has become the best-known answer to that problem. It is now showing up in research programs that aim to automate the migration itself, not just the destination language. DARPA’s TRACTOR program is working to automate translation of legacy C code to Rust, and a 2025 DARPA-backed effort at the University of Illinois and the University of Wisconsin-Madison received a $5 million grant to convert legacy C codebases to Rust.

Zardus’s work lands alongside a growing body of automated translation research, including ACToR, SafeTrans, SmartC2Rust and SACTOR. For Rust developers watching old C codebases stubbornly stick around, the key question is no longer whether memory-safe rewrites matter, but whether AI agents can make them fast enough to matter at scale.