Pre-RFC: Track resource effects

Hey,

i saw a talk about the programming language fuzion and there is a very interesting feature called effects which should resolve problems like log4shell. And now i am thinking about a program, which could achieve this in rust. The talk is in german, but you can see the feature in the example on linked page.

I made some thoughts about this idea and try to write down my ideas about the usage of such an analyzer program. You can find it here: Rust Resource Effects · GitHub

In short i would like to create a new tool which looks at your code and the dependencies. After this it can show you which local resources are used by your code or dependencies. The next step could be a restriction system, where you can restrict which resource your program can use and if there is violation against your restriction. This could help to prevent unwanted use of resources (e.g. in log4shell, bc nobody notice this kind of resource usage). Please take a look into the given gist link for some usage examples and more text about the idea.

Because this is my first time i want opinion from the rust community, i am unsure if this is correct in this category. Also i am not sure, that such kind of analyze tool is needed to achieve the same amount of knowledge about resource usage, because i am learning rust since approx. 1 year.

I tried to do my homework and research but i can`t find any crate or RFC which achieve the same feature. Also i took a look into rust core code to find out, if some tracking is already there.

So i hope you can help me to get more insights of what needs to be done and if this work is worth to be done. Thank you for your time and attention. Peter

What you are trying to do is fundamentally damn hard, and you haven't even scratched the surface. The biggest issue is unsafe code: it can do absolutely anything, in way which cannot be verified by the compiler, and all Rust code uses unsafe at some point.

This is very reminiscent of the Java sandbox project. The project was a failure, sandbox escapes were popping left and right for as long as the project existed (which is, from the 1.0 release of Java to roughly 2014, when the security manager was deprecated). It had a poor track record of security.

Overall, any effect system for Rust would necessarily be much less ambitious, and would be more in the programmer aid rather than security boundary category.

6 Likes

There has been extensive discussion about this before. Proposal to add "features" to standard library - #5 by bascule lists a couple of threads.

4 Likes

See also

2 Likes

Oh wow. Thank you for your fast and very helpful answers.

First: The list by bjorn3 and crate by CAD97 showed me, that i used the wrong term for searching. Capabilities is a better one.

Second: It seems i was not very clear and precise in my description. I do not want to create any sandbox or any runtime security. It was only meant as a helper tool for developers to find unexpected behaviour (unexpected in terms of: You would not think that your logging tool connects to any network resource on purpose). It should not handle any malicious code or anything. Also it should not used as a last line of defense. Only a helper tool to get insights of the dependencies used by your code. Of course sometimes there will be hard to catch edge cases, where such a code analyzer cannot get any helpful informations. But for me it would be sufficient if it prints, which std functions are called by dependencies like it was described here: Crate capability lists - #3 by elszben

I simply want a quick (and automatic) way to describe what a crate is doing at the high level. If it is not using any library (nothing from std) and not using unsafe blocks then I am sure that it will not steal my data or put evil stuff on my disk. If it is using std::fs:: or std::net then I am a little more sceptical. If it is using unsafe and calling c functions then all bets are off. I really need to check the code in that case (or delegate the audit to someone else).

If i write a simple cli app, which takes stdin and put it on stdout, then i am sceptical when a code analyzer can show me, that there is a network resource in use in any function.

But you gave me a lot to read and i will investigate it further. Thank you. And if you have any further input, i am pleased to read.

5 Likes

Thanks, @bjorn, There are a number of useful threads in your given link. I loved reading about build script capabilities, cargo safety rails, and crate capability lists. .

1 Like