rust-secure-code
Make production binaries auditable for known vulnerabilities
We need to make binaries deployed in production auditable for known security issues. This may include non-trivial deployment methods, such as:
- Plain old
cargo install - An executable inside a Docker container
- A shared library linked into another language
Ideally this should also extend to statically linked C libraries, if any.
Rustc and LLVM version are already embedded in the binary, so rustc and/or stdlib versions are already auditable in theory, but there is no tool to do that in practice. No other version information is currently embedded in binaries.
I have a proof of concept implementation that embeds Cargo.lock into compiled binaries with non-perfect but reasonable ergonomics, and a tool to recover that info afterwards. This can be used for running cargo audit directly on those binaries, or performing custom checks based on library versions or hashes.
While I am waiting for permission to release the code, here's a sneak peek:
$ rust-audit target/release/hello-auditable | cargo audit -f /dev/stdin
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 18 security advisories (from /home/shnatsel/.cargo/advisory-db)
Scanning /dev/stdin for vulnerabilities (2 crate dependencies)
Success No vulnerable packages found
The intention is to demonstrate that embedding Cargo.lock in the binary is actually a really good idea and that Cargo should do that by default, so I wouldn't have to maintain a hacky implementation of the Cargo.lock embedding. The tool to extract that info is likely here to stay, though.
I have published a proof of concept implementation: https://github.com/Shnatsel/rust-audit
Discussion: https://www.reddit.com/r/rust/comments/awlqfi/
RFC for Cargo is open: https://github.com/rust-lang/rfcs/pull/2801
It got a lot of constructive feedback, we need to incorporate it and submit it for another round.
Implementation as a Cargo subcommand: https://github.com/rust-secure-code/cargo-auditable