Cargo permissions to detect tampered dependecies

bascule May 21, 2019, 10:07pm 4

Some previous discussion of ideas along these lines:

[pre-pre-rfc?] Solving Crate Trust cargo

Over time I’ve seen a bunch of problems brought up about trusting dependencies. While they’re different concerns with different threat models, I like to think of them as being different flavors of an overarching problem I call “crate trust”. I’d like to start a discussion about this, and propose one solution. This is a pre-pre-rfc with more of a sketch of a solution instead of specifics, and if folks like this I can move on to a more fleshed out pre-rfc. Problems Here are some of the problems i…

Build script capabilities cargo

(apologies if this has been discussed before, I couldn’t find anything) I touched on this problem in [pre-pre-rfc?] Solving Crate Trust, but it’s something worth splitting out. Currently, build scripts and compiler plugins (to a lesser degree) have unfettered power. They may end up doing whatever they want, and it’s hard to reason about them in the context of other build systems. There are a couple of things this impacts: Caching/artifact sharing: It’s hard to cache the results of crates com…

Crate capability lists

In recent years it became popular in programming language communities to share large amount of code using various package managers. Rust is no exception, it is very easy to share your own code and use code written by others by using Cargo. At first sight, this seems to be a good thing. As time passes, more and more package will be available, eventually providing everything that someone may need in an every day software project. However, as shown by the community of Node.js, this solution is hard…

An idea to mitigate attacks through malicious crates tools and infrastructure

The problem I assume that most readers here are aware of the recent flatmap-stream attack on Node. If you’re not, here’s the short version: the developer who managed a much-used library turned out to be malicious, and injected malicious code, which flew under the radar and was installed as dependency in gazillions of applications. The Rust ecosystem is vulnerable to the exact same kind of attack: one could imagine a malicious developer taking over, say, Itertools or some other popular crate th…

[Pre-RFC] Cargo Safety Rails cargo

Feature Name: cargo_safetyrails Start Date: 2017-07-13 RFC PR: (leave this empty) Rust Issue: (leave this empty) Summary This RFC proposes Cargo Safety Rails, allowing crates to ensure that dependent crates don’t use unsafe language features. By declaring a dependency “untrusted”, the user tells cargo to compile it with the -F unsafe_code option, preventing the dependency from using the unsafe keyword. Motivation Type safety allows the programmer to have strong guarantees about what incorpor…

Safe Library Imports language design

I want to be able to import libraries and know that they cannot access files or the network or use unsafe code. In particular, I want this for codecs, so that I can use them without having to audit the code. If I import a png library, I want to know it can only access the data I give it, do some computation and give data back to me. I can take care of network and file access for it. It could be a new keyword or keyword-alike: safe mod rustpng Ideally, there’d be a known-safe subset of the sta…

I'm definitely a fan of this sort of idea. You can find my take on it here:

Crate capability lists

I’ve been thinking along similar lines, but specifically around the problem of restricting usage of unsafe. I posted some initial thoughts here: https://groups.google.com/d/msg/cap-talk/t9al5hjN19U/XzHfR1peBAAJ I’ve thought about posting a “Pre-Pre-RFC” about this, but I guess I can start by spitballing here. Unsafe Features Synopsis: Extend the existing idea of cargo features with a special notion of “unsafe features” which can be used to whitelist usage of unsafe in dependencies (and their…

Also if you're interested in this sort of stuff, please check out the Rust Secure Code WG:

GitHub

GitHub - rust-secure-code/wg: Coordination repository for the Secure Code...

Coordination repository for the Secure Code Working Group - GitHub - rust-secure-code/wg: Coordination repository for the Secure Code Working Group

5 Likes

show post in topic

Topic		Replies	Views
An idea to mitigate attacks through malicious crates tools and infrastructure	74	3784	March 25, 2019
[pre-pre-rfc?] Solving Crate Trust cargo	33	6472	March 25, 2019
What will happen if someone insert malicious code to local std (or crates from crates.io) source code?	27	1461	March 24, 2023
Crates.io is at risk of wormable malware tools and infrastructure	41	2761	September 29, 2023
Security fence for crates tools and infrastructure	50	2865	March 25, 2019

Cargo permissions to detect tampered dependecies

Related Topics