rust-secure-code / cargo-auditable

Make production Rust binaries auditable
Apache License 2.0
646 stars 28 forks source link

WASM support #145

Closed Shnatsel closed 5 months ago

Shnatsel commented 6 months ago

TODO:

Fixes #53

brooksmtownsend commented 6 months ago

Gave this a shot with a fairly standard template component, it looks like the embedding works but cargo-audit might not have Wasm support. https://github.com/brooksmtownsend/cargo-auditable-wasmcloud

It's also possible I'm not using cargo audit properly 😄

Shnatsel commented 6 months ago

Indeed, cargo audit doesn't support WASM yet. That will also have to be implemented.

Back when I was writing cargo auditable, I've found that the libraries for extracting data did not handle untrusted input particularly well - they could allocate unbounded amounts of memory, and also panicked on certain inputs. Because of that I've written https://github.com/Shnatsel/binfarce, which cannot have such failure modes by design.

I'm not sure how robust the wasmparser crate is. It seems to be doing a whole lot more parsing than what we actually need, presenting a rather big attack surface. I don't know how resilient it is to untrusted input; I don't see any indication that the parser has been fuzzed, for example.

It shouldn't be hard to extend binfarce to also parse WASM custom sections, if wasmparser proves unsuitable.

Shnatsel commented 6 months ago

Well, it seems wasmparser actually was designed for parsing untrusted input - it is dealing with WASM after all. Fuzzing it didn't seem to turn up any issues. There is one unsafe block but there is no way to express that in safe code, and it appears to be correct. I think I'll be able to wire it up to the extraction pipeline.

The part I am not thrilled about is that I can no longer guarantee absence of heap allocations and therefore absence of OOM denial-of-service if I use wasmparser. Adding WASM support to binfarce would avoid that.

Shnatsel commented 6 months ago

I've added the extraction pipeline using wasmparser. You can test it with rust-audit-info in-tree.

IIRC cargo audit will require a bit more work, but it is going to be quite trivial.

Shnatsel commented 5 months ago

Sadly wasmparser pulls in more dependencies than I would like: https://github.com/bytecodealliance/wasm-tools/issues/1528

It doesn't look like they're actually using them when the std feature is enabled, so it might not be active attack surface - but it's weird to lug all this dead weight around, and complicate packaging for distributions.