Add exploit mitigations chapter to the rustc book #76858
Conversation
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @steveklabnik (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
rust-highfive
added
the
S-waiting-on-review
| The Rust compiler supports stack clashing protection via stack probing, and | ||
| enables it by default since version 1.20.0 (2017-08-31)[26]–[29]. | ||
|
|
||
|  |
There was a problem hiding this comment.
Can we use posix tools output like objdump, readelf instead of ghidra or ida screenshot ?
There was a problem hiding this comment.
I don't know of any common Linux tool that can list cross references to addresses/symbols. I could perhaps use Radare2, but it also isn't a common Linux tool, and it would be the same as using Ghidra or IDA Pro.
There was a problem hiding this comment.
I agree there is no such a general CLI tool could do that.
Could you list the toolname in the image description ?
Or have a small section about tools used.
| The Rust compiler supports integer overflow checks, and enables it when | ||
| debug assertions are enabled since version 1.0.0 (2015-05-15)[14]–[17], but | ||
| support for it was not completed until version 1.1.0 (2015-06-25)[16]. An | ||
| option to control integer overflow checks was later stabilized in version | ||
| 1.17.0 (2017-04-27)[18]–[20]. |
There was a problem hiding this comment.
Thanks for the history, but I don't think it is needed to including this.
We want to follow what current nightly do.
There was a problem hiding this comment.
Yes, in general, all docs are written "in the present", and we don't include specific version numbers.
There was a problem hiding this comment.
I can remove these. However, this entire document is written as a historical account of these exploit mitigations' major milestones for Rust, and removing these will make this part inconsistent with the rest of the document. Let me know if you still prefer I remove these.
There was a problem hiding this comment.
Yes, we don't write docs in that style. That doesn't mean it's not useful to have, it's just not the way that the documentation is organized.
| @@ -0,0 +1,583 @@ | |||
| # Exploit Mitigations | |||
|
|
|||
There was a problem hiding this comment.
Do we need a target audience section ? Or it applies to everybody interested.
There was a problem hiding this comment.
The original document was initially targeted at security and software engineers working on the project I'm currently working on, but later was opened to everyone interested. I think having it open to everyone interested would make sense here.
There was a problem hiding this comment.
I can also add the following target audience and prior knowledge similarly to how it is in the original document:
This chapter describes exploit mitigations supported by the Rust compiler, and is by no means an extensive survey of the Rust programming language’s security features.
This chapter is for software engineers working with the Rust programming language, and assumes prior knowledge of the Rust programming language and its toolchain.
I removed it because I didn't see any other chapters containing a target audience and prior knowledge. What do you think?
| The Rust compiler supports stack clashing protection via stack probing, and | ||
| enables it by default since version 1.20.0 (2017-08-31)[26]–[29]. | ||
|
|
||
|  |
There was a problem hiding this comment.
I agree there is no such a general CLI tool could do that.
Could you list the toolname in the image description ?
Or have a small section about tools used.
|
I'd like someone from @rust-lang/compiler to approve this PR. I don't have any more feedback, but ultimately, this is about their part of the project, and it's a big addition. Sorry for this taking so long, @rcvalle . |
There was a problem hiding this comment.
I think this is a great survey of what exists... however I'm a bit concerned a reader might take teh wrong conclusions away from this. Specifically, the document doesn't really describe how effective any of these mitigations are, and indeed the history of C is a history of people claiming a mitigation will solve memory unsafety and then it failing to do so.
To address this, I'd suggest that the introduction flag this, rather than try to document how effective each mitigation is.
Np at all. Thank you @steveklabnik and others for their time! |
What do you think about the following:
Which is why this document does not discuss the effectiveness of these exploit mitigations. |
|
Looks great, thanks!
…On Wed, Oct 14, 2020 at 9:14 PM Ramon de C Valle ***@***.***> wrote:
I think this is a great survey of what exists... however I'm a bit
concerned a reader might take teh wrong conclusions away from this.
Specifically, the document doesn't really describe how *effective* any of
these mitigations are, and indeed the history of C is a history of people
claiming a mitigation will solve memory unsafety and then it failing to do
so.
To address this, I'd suggest that the introduction flag this, rather than
try to document how effective each mitigation is.
What do you think about the following:
This document does not discuss the effectiveness of these exploit
mitigations as they vary greatly depending on several factors besides their
design and implementation, but rather describe what they do, so their
effectiveness can be understood within a given context.
Which is why this document does not discuss the effectiveness of these
exploit mitigations.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#76858 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBEA4SMSQR7WLYWENULSKZEF3ANCNFSM4RRHLMZQ>
.
--
All that is necessary for evil to succeed is for good people to do nothing.
|
jyn514
added
the
A-docs
camelid
added
the
T-compiler
|
waiting for another review from @steveklabnik after recent changes |
crlf0710
added
S-waiting-on-review
|
@bors: r+ rollup |
|
📌 Commit 9999616 has been approved by |
bors
added
S-waiting-on-bors
…ns, r=steveklabnik Add exploit mitigations chapter to the rustc book This section documents the exploit mitigations applicable to the Rust compiler when building programs for the Linux operating system on the AMD64 architecture and equivalent. This was done for a project I'm currently working on, and I hope it'll also be helpful to others.
|
This failed in #79252 on @bors r- |
bors
added
S-waiting-on-author
|
@rcvalle do you mind squashing the commits a little? There are instructions at https://rustc-dev-guide.rust-lang.org/git.html#rebasing. |
Not at all. Do you prefer me to squash them all into a single commit? |
|
However many you think makes sense - for a PR this big, I think up to 5 is fine. I just think changes like 'Remove deadwood from sentence' don't need to be their own commit, since they aren't particularly valuable for telling you why the code is a certain way. |
This section documents the exploit mitigations applicable to the Rust compiler when building programs for the Linux operating system on the AMD64 architecture and equivalent.
I think most of them didn't need a separate commit, so I just squashed them all. |
|
@bors r=steveklabnik rollup |
|
📌 Commit 5b1cb0e has been approved by |
bors
added
S-waiting-on-bors
…as-schievink Rollup of 10 pull requests Successful merges: - rust-lang#76858 (Add exploit mitigations chapter to the rustc book) - rust-lang#79310 (Make `fold_item_recur` non-nullable) - rust-lang#79312 (Get rid of `doctree::Impl`) - rust-lang#79321 (Accept '!' in intra-doc links) - rust-lang#79346 (Allow using `-Z fewer-names=no` to retain value names) - rust-lang#79351 (Fix typo in `keyword` docs for traits) - rust-lang#79354 (BTreeMap: cut out the ceremony around BoxedNode) - rust-lang#79358 (BTreeMap/BTreeSet: make public doc more consistent) - rust-lang#79367 (Allow disabling TrapUnreachable via -Ztrap-unreachable=no) - rust-lang#79374 (Add note to use nightly when using expr in const generics) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
This section documents the exploit mitigations applicable to the Rust compiler when building programs for the Linux operating system on the AMD64 architecture and equivalent. This was done for a project I'm currently working on, and I hope it'll also be helpful to others.