-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integration with cargo-audit/RustSec? #16
Comments
I'm also curious if it might actually make sense to integrate with the full Siderophile, and what it might be able to tell you about this sort of vulnerability given the path to a known-vulnerable node in the call graph. It seems like it might be interesting if the affected function exists in the call graph to optionally fuzz it and see if it's possible to conclusively determine it's vulnerable. |
Since the tool gets to see the whole callgraph, all these analysis steps shouldn't be too difficult to implement. This project needs a bit more staffing, but this is doable. As for integrating into another tool, this aligns with one of our goals, which is to strip out all the Python scripts and RWIIR. This way we can expose all this functionality as a library. Leaving this issue open |
Is this still something you're interested in? As of today, things are much readier for exposing some sort of callgraph library. Also, @ issue #60 |
Absolutely! As soon as we can consume call graph analysis in library form we have data (i.e. paths to functions impacted by an advisory) necessary to perform this kind of analysis. |
@laudiacay any progress on extracting a call graph library? |
Working on this tonight. Hoping to have something for you by the morning? Sorry, responsibilities changed at work and I haven't had much time for this lately. |
Haha, no rush! But that would be fantastic! |
Ok- #78. This actually ended up going WAY quicker than I expected. Caveats: I am not an experienced Rust developer, neither am I used to making my code play nice with others'... so please let me know what else I should do to get this into a usable place for y'all. Tldr: Currently, I'm exposing 5 things. You can see how I call them in
|
Took another look at your specific use case before I log off for tonight-
basically what you should do is put the "particular path" into trace_unsafety as the one tainted function name. then anything with a nonzero score that comes out, will be in the crate_name provided to the function, and has a path to the thing you loaded into trace_unsafety. |
@laudiacay yeah, nice! Just exposing the core types from a |
Awesome- if I merge that PR, are y'all set? |
Should be enough to get started, I hope! |
🎊 🎊 merged it into master! i'm going to close this issue if you're all set, but feel free to open another if y'all need anything else. |
Thank you! |
cargo-audit
is a utility which compares dependencies inCargo.lock
agains the RustSec Advisory Database. I've opened an issue proposing a potential integration with Siderophile here:rustsec/rustsec#89
Recently we published an advisory high severity but low exploitability vulnerability to the database which resulted in false positive alerts for many users. The issue linked above goes into details about why this is an interesting case of where a call graph analysis would've helped.
We've done some work on collecting paths to affected vulnerabilities already to support this kind of analysis, and have the ability to collect this sort of information in advisories. Here's an example:
https://github.com/RustSec/advisory-db/blob/a8e2ec8/crates/safe-transmute/RUSTSEC-2018-0013.toml#L21
(sidebar: looking that again, it feels like we should swap these so the path is on the left and the impacted versions are on the right)
What we need out of a call graph analysis tool is something that can both compute the call graph for
--all-features
, and then a way of testing if particular paths exist in the call graph. Compared to what Siderophile already does, this seems fairly simple.If this sounds like a good idea, I'm curious what you think the best way to integrate
cargo-audit
and Siderophile would be. Should we invoke it as a subprocess, or is there a way to use it as a library/crate dependency? Is there a particular crate we can use that provides the call graph analysis functionality in isolation?The text was updated successfully, but these errors were encountered: