How to audit an unsafe crate?

@shekohex and I are working on a Rust wrapper around the libsignal-protocol-c library, libsignal-protocol-rs, and I’m at the point where I’d like to check everything is done correctly. My question is, is there a general procedure one can follow to audit a crate for safety?

I remember The Lib Blitz coming up with a set of API Guidelines, but it looks like they focus more on the crate’s public API and don’t mention the safety of the underlying code.

1 Like

I forgot miri, which could help with that too.

But i don’t know why cargo miri dose not exist, even i added that as component from rustup ?

I’m not sure how much miri would be able to help. What we’re really looking for is a way to test the interaction between the Rust and C code is logically sound. As far as I know, that’s only really something a human can do, because it requires taking the context into account and understanding how the C library will use data (e.g. pointers or libsignal’s hand-rolled “trait objects”) passed in from Rust code.

There is certainly some tooling available that can aid in this process. First thing that comes to mind, specifically for unsafe code, is @Shnatsel 's libdiffuzz. It could also be a good idea to pair fuzzing and tests with ASan. As @shekohex mentioned, miri is also an option. Lastly, the secure-code WG also maintains a list of security-related projects:

1 Like