Rust is promising for writing security-critical programs because of its memory security guarantee. However, while bugs in Rust Crates are rarer, they still exist, and Rust currently lacks the tools to deal with them. For example, if you’re running a buggy Linux distribution, it will alert you and you can even opt for automatic security updates. Not only does Cargo have no infrastructure for security updates, it doesn’t even know which libraries or libraries compile a binary, so there’s no way to check your system for vulnerabilities. I set out to solve the problem. Today I am pleased to announce the initial release of Auditable Crate. It empowers the dependency tree into the compiled executable, so you can check which Crate was used during the build. The primary motivation is to be able to answer the question “Do we have any known vulnerabilities in the Rust binaries that we actually run in production?” You can even have a third party like a cloud provider do this automatically. We provide Crate [1] for processing this information, which allows you to easily build your own tools, and a converter that converts to Cargo. Lock for compatibility with existing tools. This information can also be used with cargo- Audit [2], as shown here [3]. See this repository [4] for demo and more insider information, including frequently asked questions like binary collisions [5]. The ultimate goal is to integrate this functionality into Cargo and enable it by default on all platforms that don’t have strict limits on executable file sizes. An RFC that has not been merged can be found here [6]. Now, the main obstacles are:
-
This flaw [7] in RUSTC prevents the proper implementation of integration into Cargo
-
We need to gain some experience with data formats before we can stabilize
If you are running Rust workloads in production and would like to audit them for security vulnerabilities, please contact me. I would be happy to assist in deploying auditable in a real-world environment to eliminate these shortcomings.
Note: This post is from a theme thread on Reddit by Auditable, but there is some discussion below: https://www.reddit.com/r/rust/comments/iotx5u/introducing_auditable_audit_rust_binaries_for/
The resources
[1]
crate: http://docs.rs/auditable_extract/
[2]
cargo-audit: https://github.com/RustSec/cargo-audit
[3]
Here: https://github.com/Shnatsel/rust-audit#demo
[4]
Warehouse: https://github.com/Shnatsel/rust-audit
[5]
Frequently asked questions: https://github.com/Shnatsel/rust-audit#faq
[6]
Here: https://github.com/rust-lang/rfcs/pull/2801
[7]
This flaw in RUSTC: https://github.com/rust-lang/rust/issues/47384
This article prohibits reprinting, thank you for your cooperation!! ! Welcome to follow my wechat official account: Rust
