safety-dance icon indicating copy to clipboard operation
safety-dance copied to clipboard

Published 20 hours ago verified publisher icon rust-secure-code

Audit Cap'n Proto and drasticly reduce the amount of unsafe code

Open DemiMarie opened this issue 5 years ago • 5 comments

I would love to use Cap'n Proto, but it is full of unsafe code (~3000 lines).

DemiMarie avatar Feb 29 '20 19:02 DemiMarie

Are you referring to the runtime library, or the code it generates?

https://crates.io/crates/capnp seems to have ~200 daily downloads. A protobuf implementation such https://crates.io/crates/protobuf or https://crates.io/crates/prost would be a higher-value target with ~3000 daily downloads each.

Shnatsel avatar Feb 29 '20 19:02 Shnatsel

I'd love to see an audit of prost. It should be fairly trivial as it appears to have 6 usages of unsafe

tarcieri avatar Feb 29 '20 19:02 tarcieri

I've opened #68 for prost.

Shnatsel avatar Feb 29 '20 20:02 Shnatsel

@Shnatsel The runtime library seems to be the biggest risk; layout.rs is ~3000 lines of incredibly unsafe code. Given that it is a direct port of a C++ implementation, this is not particularly surprising. The use of raw pointers may be necessary to circumvent Rust’s aliasing rules, but since these pointers are virtually all to primitive integer types with no invariants, it should be possible to wrap these uses in safe, bounds-checked APIs.

DemiMarie avatar Feb 29 '20 21:02 DemiMarie

Like protobufs, Cap’n Proto is exposed to untrusted data from the network.

DemiMarie avatar Feb 29 '20 21:02 DemiMarie