This article was originally posted on Trail of Bits’ blog on July 1, 2019
Siderophile ([ˈsidərəˌfīl]) — Having an affinity for metallic iron
Today we released a tool,
siderophile, that helps Rust developers find fuzzing targets in their codebases.
Siderophile trawls your crate’s dependencies and attempts to finds every unsafe function, expression, trait method, etc. It then traces these up the callgraph until it finds the function in your crate that uses the unsafety. It ranks the functions it finds in your crate by badness—the more unsafety a function makes use of, the higher its badness rating.
We created Siderophile for an engagement where we were delivered a massive Rust codebase with a tight timeframe for review. We wanted to fuzz it but weren’t even sure where to start. So, we created a tool to determine which functions invoked the most unsafe behavior. We were able to speed up our bug discovery by automating the targeting process with siderophile. We’re now open-sourcing this tool so everyone can benefit from it!
¶ Sample Output
Here is a sample of
siderophile when run on
molasses, a crate we’re building that implements the MLS cryptographic protocol:
Badness Function 012 molasses::crypto::hash::HashFunction::hash_serializable 005 molasses::crypto::hash::HashContext::feed_serializable 003 molasses::utils::derive_node_values 003 molasses::application::encrypt_application_message 003 molasses::application::decrypt_application_message 003 molasses::group_ctx::GroupContext::new_from_parts 003 molasses::group_ctx::GroupContext::from_welcome 003 molasses::group_ctx::GroupContext::update_transcript_hash 003 molasses::group_ctx::GroupContext::update_tree_hash 003 molasses::group_ctx::GroupContext::update_epoch_secrets 003 molasses::group_ctx::GroupContext::apply_update ...
As you can see, much of the unsafety comes from the serialization and crypto-heavy routines. We’ll be sure to fuzz this bad boy before it goes 1.0.
This is not guaranteed to catch all the unsafety in a crate’s deps. For instance, we don’t have the ability to inspect macros or resolve dynamically dispatched methods since unsafe tagging only occurs at a source-level. The ergonomics for the tool could be better, and we’ve already identified some incorrect behavior on certain crates. If you’re interested in helping out, please do! We are actively maintaining the project and have some issues written out.
¶ Try it Out
siderophile is on Github along with a better explanation of how it works and how to run the tool. You should run it on your Rust crate and set up fuzzers for what it finds. Check it out!