This is a place for people to communicate about auditing unsafe
code in core
Rust crates and replacing it with safe code where feasible.
Everyone is invited to participate!
You do not have to be an unsafe
expert to help out. There's a lot of work
to do just picking crates (ones with a lot of reverse-dependencies are best),
and then sorting out where they use unsafe
and why. If you think something
isn't right just post it in the tracking issue and others can have a look and
talk it out.
Our process is as follows:
- File a tracking issue in this repo about a particular crate, giving its name and a link to their github (or other repository location).
- Audit
unsafe
usage in that crate.- This is easy to start! Note that the GitHub search isn't very good, so it's best to clone the project and use an editor on your own computer. The cargo geiger command can also help here.
- Once you know where the
unsafe
blocks are it gets harder: you have to carefully determine if theunsafe
is being used appropriately. We've been requesting Clippy lints for known antipatterns, so runningcargo +nightly clippy
is a good starting point. If you don't know if a certainunsafe
block is okay, post the questionable block in a comment in the tracking issue here and someone else can have a look too, or ask in#black-magic
on Rust Community Discord.
- When problems are found with an
unsafe
block we want to file bug reports in that crate's repo, send PRs with fixes if possible, and also write up security advisories if necessary.- If the
unsafe
block is sound, but can be converted to safe code without losing performance, that's a great thing to do! This is often the case thanks to Rust adding new safe abstractions and improving the optimizer since the code was originally written. - It's possible that
unsafe
can't be eliminated without a performance loss. Unfortunate, but it will happen some of the time. Note that benchmarks must actually be used to back up any performance loss claims. There are already many cases where switching fromunsafe
to safe alternatives has increased performance, so simply guessing that performance will regress is not enough. - If switching away from unsafe is impossible because of missing abstractions then that's important to know! We can work on improving the language, the standard library, and/or the crates.io ecosystem until the necessary gaps are filled in.
- If the
- Once a crate has been gone over enough we close that issue. If the crate needs re-checking again later on we just open a new issue.
- (Optional) If you have completely cleansed a crate of
unsafe
, add a#![forbid(unsafe_code)]
attribute to itssrc/lib.rs
ormain.rs
. After doing that, help others discover Safety Dance by adding a badge to your README.md:
Markdown code:
[![unsafe forbidden](https://img.shields.io/badge/unsafe-forbidden-success.svg)](https://github.com/rust-secure-code/safety-dance/)
Check out the safety improvements already done!
GIF image encoder/decoder written in Rust (tracking issue)
- Unsafe blocks before: 6 (ignoring C API)
- Unsafe blocks after: 2 (ignoring C API)
100% safety blocked by Polonius integration in rustc
Done by: Shnatsel
A streaming compression/decompression library DEFLATE-based streams in Rust. Has C and Rust backends (tracking issue)
- Unsafe blocks before: 21 (when using Rust backend)
- Unsafe blocks after: 2 (when using Rust backend)
- Switched to using Rust backend by default (see miniz_oxide below)
Done by: oyvindln, Shnatsel, Alex Crichton
A general purpose library of common HTTP types (tracking issue)
- Security bugs fixed: RUSTSEC-2019-0033, RUSTSEC-2019-0034
Done by: Qwaz, Sean McArthur
Image operations and conversions to/from image formats (tracking issue)
- Unsafe blocks before: 21 (many of them unsound)
- Unsafe blocks after: 6
- Security bug fixed: RUSTSEC-2019-0014
The remaining unsafe blocks are inherent and cannot be removed. They have been audited and found to be sound.
Done by: fintelia, HeroicKatora, 64
Popular DEFLATE compression/decompression library (tracking issue)
- Unsafe blocks before: 16 (4 of them unsound)
- Unsafe blocks after: 0 plus 2 moved to shared crates
- Security bug fixed: RUSTSEC-2019-0010
Done by: DevQps, Shnatsel, WanzenBug, mleonhard
The fastest DEFLATE compression/decompression library in Rust, backend for flate2 (tracking issue)
- Unsafe blocks before: 28 (2 of them unsound)
- 100% safe code now - while being faster than the C version!
- Potential security issue fixed: Frommi/miniz_oxide#36 (unclear if exploitable or not)
Fast and memory saving bsdiff 4.x compatible delta compressor and patcher (tracking issue)
- Unsafe blocks before: 3
- 100% safe code now
Done by: Nicolas Braud-Santoni
A spinlock for Rust (tracking issue)
spin::RwLock
found to be unsound,completely rewritten based on Facebook's Folly implementation, new implementation audited for soundness- Security bug fixed: RUSTSEC-2019-0013
- Unsafe code in
spin::Once
audited and found sound as of version 0.5.2
Done by: Matt Taylor, Acrimon
Suffix array construction and searching algorithms for in-memory binary data (tracking issue)
- Unsafe blocks before: 2
- 100% safe code now
Done by: Nicolas Braud-Santoni
You can help by:
- Nominating crates for auditing - we're looking for widely used crates with
unsafe
in them - Auditing nominated crates for soundness
- Replacing unsafe code with safe code where possible (where not possible - documenting why)
- Inspecting crates that have been made safer and requesting Clippy lints for the antipatterns discovered
Check out what's in progress or pick up a work item on the issue tracker!