Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make production binaries auditable for known vulnerabilities #14

Open
Shnatsel opened this issue Jan 8, 2019 · 4 comments
Open

Make production binaries auditable for known vulnerabilities #14

Shnatsel opened this issue Jan 8, 2019 · 4 comments

Comments

@Shnatsel
Copy link
Member

Shnatsel commented Jan 8, 2019

We need to make binaries deployed in production auditable for known security issues. This may include non-trivial deployment methods, such as:

  • Plain old cargo install
  • An executable inside a Docker container
  • A shared library linked into another language

Ideally this should also extend to statically linked C libraries, if any.

Rustc and LLVM version are already embedded in the binary, so rustc and/or stdlib versions are already auditable in theory, but there is no tool to do that in practice. No other version information is currently embedded in binaries.

@Shnatsel
Copy link
Member Author

I have a proof of concept implementation that embeds Cargo.lock into compiled binaries with non-perfect but reasonable ergonomics, and a tool to recover that info afterwards. This can be used for running cargo audit directly on those binaries, or performing custom checks based on library versions or hashes.

While I am waiting for permission to release the code, here's a sneak peek:

$ rust-audit target/release/hello-auditable | cargo audit -f /dev/stdin
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 18 security advisories (from /home/shnatsel/.cargo/advisory-db)
    Scanning /dev/stdin for vulnerabilities (2 crate dependencies)
     Success No vulnerable packages found

The intention is to demonstrate that embedding Cargo.lock in the binary is actually a really good idea and that Cargo should do that by default, so I wouldn't have to maintain a hacky implementation of the Cargo.lock embedding. The tool to extract that info is likely here to stay, though.

@Shnatsel
Copy link
Member Author

Shnatsel commented Mar 7, 2019

I have published a proof of concept implementation: https://github.com/Shnatsel/rust-audit

Discussion: https://www.reddit.com/r/rust/comments/awlqfi/

@Shnatsel
Copy link
Member Author

Shnatsel commented Dec 9, 2019

RFC for Cargo is open: rust-lang/rfcs#2801

It got a lot of constructive feedback, we need to incorporate it and submit it for another round.

@Shnatsel
Copy link
Member Author

Implementation as a Cargo subcommand: https://github.com/rust-secure-code/cargo-auditable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant