Siderophile: Expose your Crate's Unsafety
This article was originally posted on Trail of Bits' blog on July 1, 2019
Siderophile ([ˈsidərəˌfīl]) — Having an affinity for metallic iron
Today we released a tool, siderophile
, that helps Rust developers find fuzzing targets in their codebases.
Siderophile trawls your crate's dependencies and attempts to finds every unsafe function, expression, trait method, etc. It then traces these up the callgraph until it finds the function in your crate that uses the unsafety. It ranks the functions it finds in your crate by badness—the more unsafety a function makes use of, the higher its badness rating.
We created Siderophile for an engagement where we were delivered a massive Rust codebase with a tight timeframe for review. We wanted to fuzz it but weren't even sure where to start. So, we created a tool to determine which functions invoked the most unsafe behavior. We were able to speed up our bug discovery by automating the targeting process with siderophile. We're now open-sourcing this tool so everyone can benefit from it!
§ Sample Output
Here is a sample of siderophile
when run on molasses
, a crate we're building that implements the [MLS cryptographic protocol]({% link _posts/2019-07-10-molasses.md %}):
Badness Function
012 molasses::crypto::hash::HashFunction::hash_serializable
005 molasses::crypto::hash::HashContext::feed_serializable
003 molasses::utils::derive_node_values
003 molasses::application::encrypt_application_message
003 molasses::application::decrypt_application_message
003 molasses::group_ctx::GroupContext::new_from_parts
003 molasses::group_ctx::GroupContext::from_welcome
003 molasses::group_ctx::GroupContext::update_transcript_hash
003 molasses::group_ctx::GroupContext::update_tree_hash
003 molasses::group_ctx::GroupContext::update_epoch_secrets
003 molasses::group_ctx::GroupContext::apply_update
...
As you can see, much of the unsafety comes from the serialization and crypto-heavy routines. We'll be sure to fuzz this bad boy before it goes 1.0.
§ Limitations
This is not guaranteed to catch all the unsafety in a crate's deps. For instance, we don't have the ability to inspect macros or resolve dynamically dispatched methods since unsafe tagging only occurs at a source-level. The ergonomics for the tool could be better, and we've already identified some incorrect behavior on certain crates. If you're interested in helping out, please do! We are actively maintaining the project and have some issues written out.
§ Try it Out
siderophile
is on Github along with a better explanation of how it works and how to run the tool. You should run it on your Rust crate and set up fuzzers for what it finds. Check it out!
Finally, thanks to cargo-geiger and rust-praezi for current best practices. This project is mostly due to their work.