Trusting Rust


#1

As Ken Thompson explains, it’s possible to insert a backdoor in a compiler. Rust is particularly impacted because the compiler is written in Rust (but rely on LLVM), so we need an initial binary/compiler to build our own. This initial rustc can or could have been compromised (since the first build/bootstrap).

Rust is one letter away from trust but how can we check that rustc only transform a Rust source code into it’s equivalent binary code?

A solution to check if a compiler is backdoored is to compare it with another using the Diverse Double-Compiling.

This imply to trust a compiler, which means to have multiple compilers. For now there is only one Rust source code compiler but it support multiple architectures. So we have multiple binaries who should transform a source code the same way. Cross-compiling could be a start to check the rustc binaries. Maybe there is something to do with the compilation stages as well?

What do you think could be done for a more trustworthy rustc?


#2

I think implementing a second Rust compiler in a different language for the purposes of a DDC-style comparison wouldn’t be too hard: it could assume that the input source is type/borrow-correct and so wouldn’t have to do any semantic checking, “just” type inference and code generation. Of course, this is still non-trivial, but probably easier than an implementation of the borrow checker in another language (although the latter would be nice too).

(All that said, I’m not personally going to put my money where my mouth is, haha.)

In any case, I’m not sure one can properly trust any product of a rustc compiler in this context, even cross-compiled versions/early stages: a hypothetical back door could have touched any of them.


#3

Someone (I believe Mutabah, perhaps eddyb?) in #rust-offtopic has been mentioning that they’re working on a independent Rust compiler.


#4

It technically is possible to bootstrap-build from the original ocaml compiler fwiw. Not sure how long that would take or if there would be any problems in the process.


#5

Unfortunately, that would effectively require examining the source of the original compiler and each of the 312 snapshots to be sure a backdoor wasn’t introduced somewhere along the way.


#6

Is it not enough to inspect only the original compiler, and then build the intervening snapshots yourself?


#7

Like huon mentioned, you have to make sure nothing malicious was inserted in the source at any point. Rather hard to do so, though we can expect review to have mostly caught this stuff.


#8

Perhaps we should start an ‘Underhanded Rust Contest’ to find out avenues for putting malicious code into big Rust projects undetected (and then we write some lints to catch them :smile:).


#9

Also, bootstrapping from the original OCaml compiler implies that you trust OCaml, FWIW.

¯\_(ツ)_/¯


#10

And Ocaml is usually built from a binary blob which ships next to the sources, and not bootstrapped using an earlier compiler. (But a pattern matcher that could inject a self-preserving backdoor into the Rust compiler, surving later bootstrapping, would be a stellar achievemnt, approaching clairvoyant AI.)


#11

Especially if you used OCaml versions from before Rust was created :‍P

(which was partly my point—this whole thing is a little ridiculous in practice.)