Are Rust crates secure?

DrizztVD1 · 2018-07-18T11:07:56.903Z

“how can we design a safer open source world” … using Cargo as an example.

Note that the question posed by @peter_bertok is “A dev in scenario #2 would just avoid Rust if he’s got any brains. I certainly would not use it as it stands, because there’s virtually zero protection from the kind of vulnerabilities that were not just predictable, but predicted, and have occurred for real. Why would I risk it? For what? Twice the runtime performance? Pfft… I could just request a server 2x as big and not risk my job and my career.”

Note: I edited the introduction to reflect this.

bgeron · 2018-07-18T11:29:05.373Z

I feel that @peter_bertok is perhaps trying to argue for a fat stdlib, to reduce the insecure ecosystem problem.

bgeron · 2018-07-18T11:29:25.706Z

Is there an open source ecosystem where the situation is better?

kornel · 2018-07-18T11:29:42.669Z

“Is it secure” is too broad to answer other than “no”, because nothing is absolutely secure. However, in practice, so far, I think the crates are secure enough.

The Cargo and crates.io teams follow best practices, e.g. all downloads are over HTTPS, package checksums are verified (and soon also the checksums in the index will be signed, creating a chain of trust).

The community is small enough that many top crates are by well-known, trusted authors.

Rust/Cargo is lucky to be a step behind JS/npm, so we get early warnings of problems that npm runs into.

kornel · 2018-07-18T11:32:01.740Z

Purely on security front, I presume Linux distributions are doing better, because all packages are vetted and there are dedicated teams backporting security fixes.

I do wonder if there’s demand for such approach for Rust. Would you use an alternative Cargo registry that has only manually reviewed crates?

bgeron · 2018-07-18T11:35:30.171Z

kornel:

Purely on security front, I presume Linux distributions are doing better, because all packages are vetted and there are dedicated teams backporting security fixes.

For context: Haskell has a similar thing in Stackage. I believe it’s a collaboration between some big companies.

I wonder if it would be hard to make the client-side part of something like Stackage for Rust.

bgeron · 2018-07-18T11:36:14.299Z

kornel:

I do wonder if there’s demand for such approach for Rust.

I think there would definitely be some. More and more big companies are experimenting with Rust.

DrizztVD1 · 2018-07-18T11:37:07.362Z

kornel:

many top crates are by well-known, trusted authors.

How would a new Rust user know who can be trusted? Would a malicious code injection by an user be caught and reversed soon enough?

peter_bertok · 2018-07-18T11:49:06.452Z

DrizztVD1:

How would a new Rust user know who can be trusted? Would a malicious code injection by an user be caught and reversed soon enough?

This.

Secondly, how would anyone know to continue trusting crates, and all of their transitive dependencies? What if a “crate turns bad” because someone new takes over its maintenance, a password leaks, or someone just stops updating it and critical vulnerabilities go silently unpatched?

This whole issue may sound a bit academic, but there was a great post just recently on the Reddit /r/rust forum that highlights the many security issues around popular crates, such as a reluctance to merge pull requests related to DoS issues, few crates using ![forbid(unsafe_code)], and a lack of clearly visible quality metric or other auditing system in cargo.io:

r/rust - Auditing popular crates: how a one-line unsafe has nearly ruined...

468 votes and 38 comments so far on Reddit

gilescope · 2018-07-18T13:49:58.939Z

One option is to set up a bug bounty for high profile zero days on popular rust crates. Possibly the bounty rather than money should be a rust sticker signed by one of the core team ?

liv · 2018-07-18T14:18:12.351Z

FWIW, I’m not sure this fits in the “community” category. This category is more about community organizing, what you’re asking is more closely related to Cargo.

DrizztVD1 · 2018-07-18T15:03:28.292Z

Updated the tag

BatmanAoD · 2018-07-19T05:09:47.139Z

Are these rhetorical questions for which you think there’s a good answer in other open source communities but not Rust? Or are they simply open-ended questions about how any open source community can possibly create a trustworthy set of common libraries?

DrizztVD1 · 2018-07-19T08:17:05.012Z

It’s a question about how Rust itself can elevate to being a highly secure programming environment. The requirements for such is that LLVM vulnerabilities are patched, the compiler is secure from someone doing malicious code injection into compiled binaries, and the Crates are not compromised.

The premise is that if I or anyone else use Rust as is to build an IoT network, can I be sure that thread safety itself will ensure my devices and network is secure? Because, given that Rust is likely to make it harder to run remote exploits targeting the binaries themselves, there would be more of a focus from governments and bad actors around the world in compromising the programming environment to introduce vulnerabilities higher up in the chain.

So, is this being mitigated in the Rust environment specifically, and how can it be further improved?

gbutler69 · 2018-07-19T08:59:31.293Z

On the issue of trusting crates on crates.io, how is trusting them different than trusting any set of open-source dependencies that come from anywhere? Say you didn’t have crates.io and instead were using libs downloaded from various upstream sources directly. What about if it were all in the standard lib?

I see absolutely no difference in these trust scenarios. In either case, the only way I can truly trust all the dependencies is to audit them and then vendor/lock them down into my build for that version of my build. If I upgrade any of those dependencies to a newer version, I must audit them. Every time. That is the ONLY way to have true trust in ANY scenario whether the dependencies come from standard lib, a repo like crates.io, or from 3rd party downloads directly from upstream. This even applies to commercial/close-source software with the added downside that, in most cases, I don’t even have the option to audit the source, I just simply have to trust that because I gave them money, they are doing their job properly and have my best interests at heart (which has been proven time and again to not always be the case unfortunately).

So, what I’m saying, is that way too much is being made of the whole, “I can’t trust crates.io” issue. It’s pretty much a non-issue if you really consider what “trust” in dependencies is.

That being said, things like adding signing or 2FA to crates.io are worthy of pursuing. Also, the notion of curated crates.io alternatives is not a bad idea as well. In fact, I can imagine a scenario where a company or consortium of companies create a curated alternative to crates.io that you can pay a membership to. This could possibly include certain “guarantees” around testing standards, documentation standards, auditing, chain-of-custody etc. that have had official audits etc. Perhaps adhering to things like FDA regulations or FIPS regulations, etc. My guess is this would be costly (as it should be). Seems like a business opportunity?

DrizztVD1 · 2018-07-19T09:48:39.875Z

So your last paragraph is what this discussion is about. The fact of the matter is, we can say that trusting 95% of the crate authors is fine, after trusting their work from previous audits. But now money has to be spent to verify that the other 5% didn’t muck with some small dependency that my updated crate relies on. So how can one ensure that some level of open-source security can be guaranteed for Rust?

Imagine this scenario:
A vulnerability has been discovered in a security drone controller that allows remote login and spying. The drone is used at a multinational R&D facility to patrol the perimeter and verify everyone on the premises signed in at the gate with their ID.

The news articles are reporting that a security researcher says that the LLVM edition of the Rust lang compiler was compromised 5 years ago, when this vulnerability was introduced.

The security researcher says that, because Rust lang says “thread safety” on their website, the contracted programmer for that part of the code assumed that remote buffer overflows would be contained. Unfortunately, the Rust community rested on their laurels, and let the security of their dependencies and compiler dependencies slip, and today Rust can only be used after a thorough audit of every single dependency used. Hence, most companies are using dependencies that are 10 years old and have some otherwise minor, but well-known exploits due to how long the dependencies have been in circulation. This is because half the newest dependencies were shown by Shor e.t. al, to be heavily infiltrated by a foreign government to ensure exploits can be run on Rust-compiled code, which could otherwise have been prevented had they not rested on their laurels.

DrizztVD1 · 2018-07-19T09:55:32.290Z

This isn’t coming from nowhere either, mind you. I was a security researcher of a reputable firm for a short while. And, a colleague was working next to me in the lab on a mitigation procedure for fixing up a couple of thousand point-of-sale terminals. A third party library had several buffer overflows in it, and this code was compiled long ago and the source code long forgotten. It was programmed in C of course. Some other R&D guys had managed to run a game of tetris on the terminal by programming the chip of a credit card that would run the exploit on the terminal when the card is inserted. They could also make the terminal print a ‘payment approved’ receipt from the terminal that was totally fake with this exploit.

DrizztVD1 · 2018-07-19T10:33:58.330Z

gbutler69:

That being said, things like adding signing or 2FA to crates.io are worthy of pursuing. Also, the notion of curated crates.io alternatives is not a bad idea as well. In fact, I can imagine a scenario where a company or consortium of companies create a curated alternative to crates.io that you can pay a membership to. This could possibly include certain “guarantees” around testing standards, documentation standards, auditing, chain-of-custody etc. that have had official audits etc. Perhaps adhering to things like FDA regulations or FIPS regulations, etc. My guess is this would be costly (as it should be). Seems like a business opportunity?

This is exactly it, but, some effort on the standard guidelines could give at least some level of security when using the open source tools. It’s like open-source security if you will. The classification of security goes something like:
High) safe from most government attacks
Medium) safe from experienced hackers working mostly alone
low) safe from script kiddies.

Rust can, and should, have an open source Medium level of security. It does not at the moment based on the haphazard crates implementation. Hence why this is also a good idea: Maybe it's time for a "crates-team"?

DrizztVD1 · 2018-07-19T10:46:22.005Z

The point is that a huge amount of C/C++ code vulnerabilities occur because of memory errors in the code. While some operating system buffer overflow mitigations exist, many low-power devices run without an OS. I’m just not going to run an MPC control system on an OS because the feedback loop is going to become unstable due to the indeterminate latency and my drone is going to fall out of the sky.

So now I need some means to ensure someone doesn’t target the logical level of the code by torpedoing the security of cargo/xargo dependencies. I can mitigate buffer overflows by using the super-duper NLL coolness of Rust, only to slam into a wall because I can’t use most of the dependencies since I’d rather implement my own control system code than leverage a potentially insecure crate that I’d have to audit. If there exists a preference list of crates that followed the api guidelines, and those guidelines provides for a security level by vetting contributors of that specific level of crates, it would be fine. - I’d get Medium level security without having to spend all my startup capital on the security audit.

BatmanAoD · 2018-07-19T12:47:24.295Z

I actually specifically meant Peter Bertok’s questions about trusting crates.

DrizztVD1:

It’s a question about how Rust itself can elevate to being a highly secure programming environment.

Is that something a programming language, especially a low-level one, should aspire to? I don’t see how it’s possible to make any Turing-complete language “secure”, outside of running it in a completely sandboxed environment. (E.g. blockchain smart contracts could theoretically be “secure”, but since those tend to use something like Ethereum’s “gas” to ensure termination, arguably they’re not Turing-complete.)