Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Jul 22, 2014
Jul 19, 2014
Aug 8, 2014

README.md

Enter the Rust Chamber

This is a compiler that sandboxes software using only the Rust language.

Please do not use Rust as a language-based sandbox.

Why do this?

Because Rust is so all about memory safety, Rust code that has no unsafe blocks and that has no access to libraries has severely reduced ability to cause mayhem.

Chamber creates a controlled environment for fuzzing, attacking, and torturing the compiler and libraries. It provides a framework for attempting to violate Rust's safety guarantees.

Building

cargo build

Running

target/chamber breakme.rs

This will create the breakme bin. (If you get an error about not finding std you may need to pass the --sysroot flag).

Chamber comes with a simple 'baseline' chamber, rcr_baseline, which reexports nearly all of the Rust Core Library, and links to it by default. To specify a different chamber, pass its name behind the --chamber flag:

target/chamber breakme.rs --chamber rcr_custom

By default Chamber will look in ., ./target, and ./target/deps, to find chambers, as well as the normal rustc search paths. The search path can be augmented with -L.

The stock Rust Standard Library itself is a chamber:

target/chamber breakme.rs --chamber std

The above is equivalent to the default rustc behavior plus Chamber's blacklist plugin.

How it works

Chamber is a customized Rust compiler. It links to rustc directly to augment its behavior. Compared to stock rustc there are two major differences:

  1. It injects an arbitrary crate as the standard library, including prelude and macros. This is called a 'chamber'.

  2. It uses lint passes to blacklist unsafe features, including linking to any other crate.

Chambers do not need to be 'freestanding'; they may link to std, and chambered libraries may be intermixed freely with normal Rust libraries.

Chamber is a simple program and is structured for readability. It is a good demonstration of embedding rustc, as well as creating rustc plugins, and incorporating both into Cargo packages. See src/chamber/lib.rs.

Blacklisted language features

Some Rust features make it easy to break memory safety. These are turned off.

  • extern crate
  • unsafe blocks
  • #[feature(...)]
  • #[no_mangle]

Chambers

Only one chamber exists right now.

  • rcr_baseline. This is a chamber that others can build off of. It exposes all of the API's from the core library except for core::any, which has potential issues with forging type hashes, and core::intrinsics, which I didn't want to look through carefully, but mostly can't be called anyway.

What Rust does and does not promise

TODO: looping, unwinding, stack overflow, memory leaks, abort, oom

TODO

  • Investigate safety of built-in syntax extensions.
  • Fix feature gate pass
  • Add conveniences API's for compiling .rs, putting the binary into a separate process and detecting the special 'ok' crash conditions (stack overflow, double fail).
  • Investigate impact of native rt injection.
  • Add more chambers.
  • Disallow #[no_mangle]

About

Rust as sandbox

Resources

Releases

No releases published

Languages

You can’t perform that action at this time.