Stream: wg-secure-code

Topic: actionable work items


Shnatsel (Oct 18 2018 at 21:11, on Zulip):

If you would like to contribute, but aren't sure how, this is the thread for you. If you have a security-related project that you could use some help with, this is also the thread for you. Post some actionable work items!

Shnatsel (Oct 18 2018 at 21:11, on Zulip):

For example: https://github.com/blt/bughunt-rust tries to verify correctness of data structure implementations in Rust stdlib, following a CVE in VecDeque. It currently verifies HashMap and VecDeque, extending it to more data structures would be appreciated.

Shnatsel (Oct 18 2018 at 21:16, on Zulip):

The fixed-capacity view of Vec proposal kind of died once I ran out of time to dedicate to it. We have a prototype implementation of it in a crate; explaining why it's a bad idea, or completing and publishing the implementation would be appreciated.

Shnatsel (Oct 18 2018 at 21:21, on Zulip):

A program that sifts through crates.io index, matches contents of Cargo.lock and Cargo.toml in crates against RustSec advisory DB and alerts maintainers of crates that depend on vulnerable versions of other crates would be nice. This is rather easy to implement since crates.io index is just a git repository and rustsec crate takes care of version matching.

Shnatsel (Oct 18 2018 at 21:27, on Zulip):

It would be nice to have a beginner’s guide to using SMACK to verify correctness of Rust programs; it’s a symbolic execution engine that has been adapted for Rust recently.

Shnatsel (Oct 18 2018 at 21:31, on Zulip):

Clippy could use a lint for slow vector initialization that people tend to rewrite into unsafe code instead of using efficient zero-initialization. Details at https://github.com/rust-lang-nursery/rust-clippy/issues/3237

Shnatsel (Oct 18 2018 at 21:36, on Zulip):

Here's a more general one: pick a popular crate that uses unsafe, check out why it does that, try turn it into safe code without regressing performance; describe how you did it if you succeed, describe why that failed if you didn’t. This will expose missing but needed safe abstractions and form basis for clippy warnings or some kind of safety guidelines.

Shnatsel (Oct 19 2018 at 17:36, on Zulip):

:point_up: should I post these to github as issues?

Joshua Liebow-Feeser (Oct 19 2018 at 18:06, on Zulip):

I'd maybe restrict to only those things which have concrete next steps rather than just "we'd like something that does X." But yeah, definitely.

I think an issue that tracks the "find out why people use unsafe" effort would be particularly useful.

Shnatsel (Oct 19 2018 at 18:34, on Zulip):

"find out why people use unsafe" is probably out of scope of an issue. I'd make it a repo or something. We should probably reach out to the community too, e.g. on Reddit, This Week In Rust, etc. and just ask.

briansmith (Oct 21 2018 at 05:48, on Zulip):

RE: "find out why people use unsafe", maybe it would be better to limit the exploration to libstd and maybe some other core crates and see if there is any commonality that could be factored out into library features or language features that would reduce the need for unsafe in a substantial way, e.g. safe conversion APIs that would reduce the uses of transmute.

Zach Reizner (Oct 23 2018 at 17:03, on Zulip):

A program that sifts through crates.io index, matches contents of Cargo.lock and Cargo.toml in crates against RustSec advisory DB and alerts maintainers of crates that depend on vulnerable versions of other crates would be nice. This is rather easy to implement since crates.io index is just a git repository and rustsec crate takes care of version matching.

I've actually got some code that trawls through the crates index that can be adapted to this purpose, so I've started this task.

Joshua Liebow-Feeser (Oct 23 2018 at 17:34, on Zulip):

@Zach Reizner Awesome! Would you like to create an issue in the wg repo to track this?

Zach Reizner (Oct 23 2018 at 17:57, on Zulip):

Sure

Zach Reizner (Oct 23 2018 at 18:07, on Zulip):

Posted issue to wg repo.

Joshua Liebow-Feeser (Oct 23 2018 at 18:42, on Zulip):

Thanks!

Last update: Nov 11 2019 at 23:05UTC