Siderophile: Expose your Crate’s Unsafety

Today we released a tool, siderophile, that helps Rust developers find fuzzing targets in their codebases.

Siderophile trawls your crate’s dependencies and attempts to finds every unsafe function, expression, trait method, etc. It then traces these up the callgraph until it finds the function in your crate that uses the unsafety. It ranks the functions it finds in your crate by badness—the more unsafety a function makes use of, the higher its badness rating.

Siderophile ([ˈsidərəˌfīl]) – Having an affinity for metallic iron

We created Siderophile for an engagement where we were delivered a massive Rust codebase with a tight timeframe for review. We wanted to fuzz it but weren’t even sure where to start. So, we created a tool to determine which functions invoked the most unsafe behavior. We were able to speed up our bug discovery by automating the targeting process with siderophile. We’re now open-sourcing this tool so everyone can benefit from it!

Sample Output

Here is a sample of siderophile when run on molasses, a crate we’re building that fully implements the MLS cryptographic protocol:

Badness Function

    012 molasses::crypto::hash::HashFunction::hash_serializable

    005 molasses::crypto::hash::HashContext::feed_serializable

    003 molasses::utils::derive_node_values

    003 molasses::application::encrypt_application_message

    003 molasses::application::decrypt_application_message

    003 molasses::group_ctx::GroupContext::new_from_parts

    003 molasses::group_ctx::GroupContext::from_welcome

    003 molasses::group_ctx::GroupContext::update_transcript_hash

    003 molasses::group_ctx::GroupContext::update_tree_hash

    003 molasses::group_ctx::GroupContext::update_epoch_secrets

    003 molasses::group_ctx::GroupContext::apply_update
    
...

As you can see, much of the unsafety comes from the serialization and crypto-heavy routines. We’ll be sure to fuzz this bad boy before it goes 1.0.

Limitations

This is not guaranteed to catch all the unsafety in a crate’s deps. For instance, we don’t have the ability to inspect macros or resolve dynamically dispatched methods since unsafe tagging only occurs at a source-level. The ergonomics for the tool could be better, and we’ve already identified some incorrect behavior on certain crates. If you’re interested in helping out, please do! We are actively maintaining the project and have some issues written out.

Try it Out

Siderophile is on Github along with a better explanation of how it works and how to run the tool. You should run it on your Rust crate, and setup fuzzers for what it finds. Check it out!

Finally, thanks to cargo-geiger and rust-praezi for current best practices. This project is mostly due to their work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s