Rust Safety Dance

About

This is a place for people to communicate about auditing unsafe code in core Rust crates and replacing it with safe code where feasible.

Everyone is invited to participate!

You do not have to be an unsafe expert to help out. There's a lot of work to do just picking crates (ones with a lot of reverse-dependencies are best), and then sorting out where they use unsafe and why. If you think something isn't right just post it in the tracking issue and others can have a look and talk it out.

Process

Our process is as follows:

1. File a tracking issue in this repo about a particular crate, giving its name and a link to their github (or other repository location).
2. Audit unsafe usage in that crate.
   • This is easy to start! Note that the GitHub search isn't very good, so it's best to clone the project and use an editor on your own computer. The cargo geiger command can also help here.
   • Once you know where the unsafe blocks are it gets harder: you have to carefully determine if the unsafe is being used appropriately. We've been requesting Clippy lints for known antipatterns, so running cargo +nightly clippy is a good starting point. If you don't know if a certain unsafe block is okay, post the questionable block in a comment in the tracking issue here and someone else can have a look too, or ask in #black-magic on Rust Community Discord.
3. When problems are found with an unsafe block we want to file bug reports in that crate's repo, send PRs with fixes if possible, and also write up security advisories if necessary.
   • If the unsafe block is sound, but can be converted to safe code without losing performance, that's a great thing to do! This is often the case thanks to Rust adding new safe abstractions and improving the optimizer since the code was originally written.
   • It's possible that unsafe can't be eliminated without a performance loss. Unfortunate, but it will happen some of the time. Note that benchmarks must actually be used to back up any performance loss claims. There are already many cases where switching from unsafe to safe alternatives has increased performance, so simply guessing that performance will regress is not enough.
   • If switching away from unsafe is impossible because of missing abstractions then that's important to know! We can work on improving the language, the standard library, and/or the crates.io ecosystem until the necessary gaps are filled in.
4. Once a crate has been gone over enough we close that issue. If the crate needs re-checking again later on we just open a new issue.
5. (Optional) If you have completely cleansed a crate of unsafe, add a #![forbid(unsafe_code)] attribute to its src/lib.rs or main.rs. After doing that, help others discover Safety Dance by adding a badge to your README.md:

Markdown code:

[![unsafe forbidden](https://img.shields.io/badge/unsafe-forbidden-success.svg)](https://github.com/rust-secure-code/safety-dance/)

🏆 Trophy Case 🏆

Check out the safety improvements already done!

gif

GIF image encoder/decoder written in Rust (tracking issue)

• Unsafe blocks before: 6 (ignoring C API)
• Unsafe blocks after: 2 (ignoring C API)

100% safety blocked by Polonius integration in rustc

Done by: Shnatsel

flate2

A streaming compression/decompression library DEFLATE-based streams in Rust. Has C and Rust backends (tracking issue)

• Unsafe blocks before: 21 (when using Rust backend)
• Unsafe blocks after: 2 (when using Rust backend)
• Switched to using Rust backend by default (see miniz_oxide below)

Done by: oyvindln, Shnatsel, Alex Crichton

http

A general purpose library of common HTTP types (tracking issue)

• Security bugs fixed: RUSTSEC-2019-0033, RUSTSEC-2019-0034

Done by: Qwaz, Sean McArthur

image

Image operations and conversions to/from image formats (tracking issue)

• Unsafe blocks before: 21 (many of them unsound)
• Unsafe blocks after: 6
• Security bug fixed: RUSTSEC-2019-0014

The remaining unsafe blocks are inherent and cannot be removed. They have been audited and found to be sound.

Done by: fintelia, HeroicKatora, 64

libflate

Popular DEFLATE compression/decompression library (tracking issue)

• Unsafe blocks before: 16 (4 of them unsound)
• Unsafe blocks after: 0 plus 2 moved to shared crates
• Security bug fixed: RUSTSEC-2019-0010

Done by: DevQps, Shnatsel, WanzenBug, mleonhard

miniz_oxide

The fastest DEFLATE compression/decompression library in Rust, backend for flate2 (tracking issue)

• Unsafe blocks before: 28 (2 of them unsound)
• 100% safe code now - while being faster than the C version!
• Potential security issue fixed: Frommi/miniz_oxide#36 (unclear if exploitable or not)

Done by: Shnatsel, oyvindln

qbsdiff

Fast and memory saving bsdiff 4.x compatible delta compressor and patcher (tracking issue)

• Unsafe blocks before: 3
• 100% safe code now

Done by: Nicolas Braud-Santoni

spin

A spinlock for Rust (tracking issue)

• spin::RwLock found to be unsound,completely rewritten based on Facebook's Folly implementation, new implementation audited for soundness
• Security bug fixed: RUSTSEC-2019-0013
• Unsafe code in spin::Once audited and found sound as of version 0.5.2

Done by: Matt Taylor, Acrimon

suffix-array

Suffix array construction and searching algorithms for in-memory binary data (tracking issue)

• Unsafe blocks before: 2
• 100% safe code now

Done by: Nicolas Braud-Santoni

We need your help!

You can help by:

1. Nominating crates for auditing - we're looking for widely used crates with unsafe in them
2. Auditing nominated crates for soundness
3. Replacing unsafe code with safe code where possible (where not possible - documenting why)
4. Inspecting crates that have been made safer and requesting Clippy lints for the antipatterns discovered

Check out what's in progress or pick up a work item on the issue tracker!