https://readrust.net/Wed, 8 Feb 2023 23:55:19 +0000229d0cd3-f648-4ec9-addd-f7756bd62d74Wed, 8 Feb 2023 23:55:19 +0000https://litchipi.github.io/infosec/2023/01/24/git-code-audit-viewed-as-rust-programmer.htmlLitchi Pi
This post is based on the (great) report available here and aims to investigate how Rust mitigates some of the vulnerabilities shown in this report, but also to put some light on what it doesn’t mitigate by itself, and how a programmer can address these issues using good practices.]]>3b5f9d9b-498c-4b45-8a48-c8336d9d4509Wed, 30 Nov 2022 23:20:03 +0000http://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.htmlDavid Renshaw7e47217c-f251-4094-8cce-207263dd5071Wed, 30 Nov 2022 23:14:06 +0000https://www.phoronix.com/news/Fedora-38-RPM-Sequoia-RustMichael Larabel314e60e2-4220-45fa-a597-7f743e94577eWed, 16 Dec 2020 22:04:35 +0000https://sequoia-pgp.org/blog/2020/12/16/202012-1.0/Neal
The release includes the low-level crate sequoia-openpgp, and a program to verify detached signatures geared towards software distribution systems called sqv.]]>3b4de905-668e-478b-b70f-ad55ed2c54aaMon, 14 Sep 2020 11:07:44 +0000https://www.reddit.com/r/rust/comments/iotx5u/introducing_auditable_audit_rust_binaries_for/Sergey "Shnatsel" Davidoff7a44592b-5fcb-4ea3-a47c-b8e149df2d1dMon, 31 Aug 2020 10:25:25 +0000https://sequoia-pgp.org/blog/2020/08/21/202008-sequoia-0.19.0/Justusb73a7049-39a2-47c8-aa3e-a9bc97fd5756Mon, 10 Aug 2020 10:38:30 +0000https://sharpend.io/7-things-i-learned-from-porting-a-c-crypto-library-to-rust/Mathias Lafeldt
Given these benefits, it’s no surprise that I keep coming back to Rust. This time, I decided to revisit a pull request from five years ago, which has been lingering in my mind ever since. The ambiguous goal of the pull request is to port cb2util, one of my old crypto tools for PlayStation 2, from C to pure Rust.]]>ef49b857-158f-4062-a7d7-0d39c5880e4eWed, 15 Jul 2020 11:38:19 +0000https://blog.rust-lang.org/2020/07/14/crates-io-security-advisory.htmlRust Security Response WG
We have no evidence of this being exploited in the wild, but out of an abundance of caution we opted to revoke all existing API keys.]]>33b03cfe-287e-4eef-933a-852476830a2cThu, 9 Jul 2020 08:01:26 +0000https://www.microsoft.com/en-us/research/blog/toward-trusted-sensing-for-the-cloud-introducing-project-freta/Mike Walkerb56c86b4-2ea2-4029-b204-9b44704571b9Fri, 19 Jun 2020 01:03:07 +0000http://jbp.io/2020/06/14/rustls-audit.htmlJoseph Birr-Pixton
First off, though, Dirkjan Ochtman (of the Quinn project) deserves a great deal of thanks for ultimately making this happen. We first discussed the possibility of an audit like this at RustFest Paris 2018. He worked with great determination for almost two years to secure a sponsor. Thanks Dirkjan!

The Cloud Native Computing Foundation (a part of the Linux Foundation) funded this audit, at the request of Buoyant who use rustls in the data plane of linkerd. So further thanks are due to Chris Aniszczyk of the Linux Foundation, and Oliver Gould of Buoyant for their support of these projects.

Finally, thanks to the staff at Cure53 for being a pleasure to work with.]]>6b223aca-a994-4918-9ab3-54317a52f7beSun, 31 May 2020 00:56:07 +0000http://blog.hackeriet.no/fuzzing-sequoia/capitolinteroperability with C it also exposes itself as a C library in the sequoia_openpgp_ffi
crate. This would be the way that you would call this library from other programming languages,
as C often acts as the lowest common denominator.

As Sequoia is making progress towards a 1.0 release, I thought that it would be time to help out by
trying to discover bugs in it by fuzzing, a technique where you generate random input to
functions and observe the execution flow in order to detect problems.]]>1693aaf0-dfa5-4d98-bab4-f1572e84e9b3Thu, 21 May 2020 22:04:58 +0000https://blue42.net/code/rust/examples/sodiumoxide-password-hashing/post/Luke Arntz
I spent some time reviewing the documentation for sodiumoxide and while there were working and straight forward examples it wasn’t clear whether that was all that needed to be done to securely hash passwords, or if there were additional steps required when used in production.

I think I’ve found the answers to my initial questions and decided to write this post for my own reference and to help anyone else looking for help.]]>4d81c020-a409-450a-a177-841c6a918391Sun, 3 May 2020 10:00:30 +0000https://jpastuszek.net/asn/ Jakub Pastuszek cba0f8f3-423f-4323-916e-4b6606e5dbbcSat, 11 Apr 2020 01:34:34 +0000https://blog.redsift.com/labs/announcing-ingraind-1-0/Peter Parkanyi
Just under 1000 git commits later in the two repositories combined, we are happy to announce version 1.0.]]>908c51b3-2f91-42cd-b6bb-95286a16a460Fri, 3 Apr 2020 11:00:44 +0000https://boats.gitlab.io/blog/post/vulnerabilities/withoutboats7edaa438-7066-487d-a48d-293def235043Wed, 25 Mar 2020 02:23:20 +0000https://anssi-fr.github.io/rust-guide/Agence nationale de la sécurité des systèmes d'information
Nevertheless, due to its versatility, the language possibly offers some constructions that, if not used properly, can introduce security problems, by making code misinterpreted by the programmer or a reviewer. In addition, as for every tool in the compilation or software verification field, the tools used to develop, compile and execute programs can expose certain features or configurations that, if misused, may lead to vulnerabilities.

Thus, the object of this document is to compile hints and recommendations to stay in a safe zone for secure applications development while taking advantage of the range of possibilities the Rust language can offer.]]>683455ad-5f69-4d90-b70a-f5b90e34560cMon, 16 Mar 2020 09:14:23 +0000https://blog.yossarian.net/2020/03/09/Implementing-the-Clipper-chip-cipher-in-RustWilliam Woodruff5e73b51b-67a9-4a4e-8d38-123aff9f48ecFri, 28 Feb 2020 23:10:34 +0000https://research.nccgroup.com/2020/02/26/public-report-rustcrypto-aes-gcm-and-chacha20poly1305-implementation-review/NCC Group1a8b41c2-bb7e-4244-b1c3-52fabd7c0321Mon, 3 Feb 2020 06:37:02 +0000https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.htmlElie Bursztein and Jean-Michel Picodb5b38e6f-70e4-43a1-9612-6eeef347e91eFri, 24 Jan 2020 07:14:17 +0000https://blog.rust-lang.org/inside-rust/2020/01/23/Introducing-cargo-audit-fix-and-more.htmlTony Arcieri
This post describes the new features in the 0.11 release of cargo-audit.]]>324feb9f-0a8f-49f5-94d2-0fd1e3e9a524Fri, 17 Jan 2020 08:07:40 +0000https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6?source=rss------rust-5Sergey "Shnatsel" Davidoff
By that time I was already disillusioned in the security of software written in C and the willingness of maintainers to fix it, so I never followed up on the bug. However, this year I decided to repeat the test with software written in a language that’s less broken by design: Rust.

Here’s how 7 different HTTP clients fared.]]>22b8cf5e-1c07-4f2b-903c-32ea44bdce82Thu, 16 Jan 2020 21:21:47 +0000https://fitzgeraldnick.com/2020/01/16/better-support-for-fuzzing-structured-inputs-in-rust.htmlNick Fitzgerald6a8f17f8-cd31-49e4-a301-07fb12ca45e0Fri, 20 Dec 2019 00:59:27 +0000https://fy.blackhats.net.au/blog/html/2019/12/19/packaging_and_the_security_proposition.htmlFirstyear7f4c5d31-fd67-4a48-af93-b67d3a02cc29Thu, 12 Dec 2019 13:43:27 +0000https://docs.rs/dtolnay/0.0.7/dtolnay/macro._03__soundness_bugs.htmlDavid Tolnayf58cc3ef-4b31-4103-a6d8-16de66132efdMon, 25 Nov 2019 09:27:00 +0000https://stainless.io/post/code/rust/drop_root/Russell Hay7c53cfec-7842-4ca1-a1bb-183b2d6c1444Sat, 2 Nov 2019 00:00:00 +0000https://www.reddit.com/r/rust/comments/dq8df4/announcing_safetydance_removing_unnecessary/Sergey "Shnatsel" Davidoff
A while ago I decided to check just how prevalent that is in widely used code, and I was astonished by what I've found: many popular and widely used Rust crates contain quite a few unsafe blocks, even when they're not doing anything inherently unsafe, and a surprising number of them can be converted into safe code without losing performance.]]>25ecd879-1428-4fd5-8200-e908de68db3bSun, 20 Oct 2019 04:38:50 +0000https://medium.com/programming-servo/programming-servo-shipping-message-ports-via-a-detour-into-spectre-c96683ac0b8Gregory Terzian
Web-messaging enables developers to provide cross-site API’s without having to go through a server, all the while leveraging the client-side security model of the Web. And since it happens on the client, it could be more transparent to the end-user, and probably easier to block if necessary.

Implementing message-ports also raises interesting architectural questions. In an earlier Web(like, in 2017), an API like message-ports could have been implemented with some sort of cross-thread communication. In 2019 however, it’s going to have to go across process. Why? Something known as “Spectre”.]]>844b80e2-68b9-450a-8e0f-7aa395d1ca07Tue, 15 Oct 2019 10:59:04 +0000https://suricata-ids.org/2019/10/15/announcing-suricata-5-0-0/inliniac04d6d1f5-601b-4de7-bf7b-81153617a559Tue, 8 Oct 2019 12:42:02 +0000https://fuzzit.dev/2019/10/08/how-to-fuzz-rust-code-with-cargo-fuzz-continuously/Fuzzitf7d6bffe-ea86-4fbc-9aa6-4ba15b3929a5Mon, 30 Sep 2019 16:45:48 +0000https://msrc-blog.microsoft.com/2019/09/30/building-the-azure-iot-edge-security-daemon-in-rust/Raj Vengalil5e44948a-fa5d-4dbb-a7e7-7e4838fbaa80Fri, 6 Sep 2019 13:35:51 +0000https://www.guitmz.com/linux-fe2o3-rust-virus/Guilherme Thomazi
This time, Rust is the language and I must say that I was impressed by its compiler and error handling, but the syntax is still not 100% clear to me (as you can see from my rudimentar code in Linux.Fe2O3) and I wish it had a built-in random library too. This code was written in less than 2 days, of course its not pretty, has lots of .unwrap() (already got great input from some people on Reddit to help me with that, will be addressed) so I apologise in advance.]]>a3f26838-eaa9-494a-b71d-37ac8600c24aWed, 4 Sep 2019 07:00:00 +0000https://fitzgeraldnick.com/2019/09/04/combining-coverage-guided-and-generation-based-fuzzing.htmlNick Fitzgerald923c5a4c-a9d4-42c5-9368-7725a5bd26beMon, 26 Aug 2019 00:00:00 +0000https://blog.quarkslab.com/security-audit-of-dalek-libraries.htmlLaurent Grémy, Guillaume Heilles, Nicolas Surbayrole
We only found some minor issues. We also provided recommendations on the usage of the libraries and third-party libraries.]]>f820bc2a-3700-4b36-ac63-ad638301b911Mon, 29 Jul 2019 00:00:00 +0000http://lucumr.pocoo.org/2019/7/29/dependency-scaling/Armin Ronacher153bc34f-6b3a-4103-8fed-55ed99da9e36Mon, 22 Jul 2019 19:19:19 +0000https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe-systems-programming/Ryan Levickcc336a90-bbf5-49c3-94b7-e3c4454cbc53Sun, 21 Jul 2019 20:52:00 +0000https://www.cloudatomiclab.com/fuzz/Justin Cormack3ded792f-b573-465c-a4bf-00a241bc7cbcMon, 1 Jul 2019 15:30:06 +0000https://blog.trailofbits.com/2019/07/01/siderophile-expose-your-crates-unsafety/Trail of Bitsea3f2d4d-b907-4611-9aaf-d5f6311863a2Tue, 18 Jun 2019 22:00:00 +0000https://www.wzdftpd.net/blog/rust-fuzzers.htmlPollux81657ee0-b628-449d-b5c3-3258a0219756Fri, 14 Jun 2019 12:21:35 +0000https://sequoia-pgp.org/blog/2019/06/14/20190614-hagrid/Neal593aaa73-c49a-4b38-99c7-ce2a1070723dMon, 13 May 2019 00:00:00 +0000https://blog.rust-lang.org/2019/05/13/Security-advisory.htmlThe Rust Core Team4450a6c3-3baa-4485-853b-910969aa0119Sun, 21 Apr 2019 00:00:00 +0000https://brycx.github.io/2019/04/21/rust-dudect-constant-time-crypto.htmlbrycxf1c4efc6-6cb3-4b03-a445-6ee32bd804b7Fri, 29 Mar 2019 00:50:00 +0000https://noiseexplorer.com/georgiode32ac99-9bcf-4744-ab65-3f22398433d7Wed, 27 Mar 2019 13:43:27 +0000https://blog.cloudflare.com/boringtun-userspace-wireguard-rust/Vlad Krasnov6af41799-4171-46ca-ab1f-572b8669da6eTue, 26 Mar 2019 00:00:00 +0000https://www.net.in.tum.de/members/emmericp/Stefan Hubere2a2559d-5bf2-45b6-ba62-a3af84913c3aSat, 2 Mar 2019 20:02:25 +0000https://github.com/Shnatsel/rust-auditSergey "Shnatsel" Davidoff1ffc5388-6476-4542-90c1-398c561a2c43Thu, 28 Feb 2019 14:10:27 +0000https://hacks.mozilla.org/2019/02/rewriting-a-browser-component-in-rust/Diane Hosfeltfae48adb-0406-4124-b06d-6b9d7a667d85Sat, 23 Feb 2019 20:38:04 +0000https://medium.com/coinmonks/zero-knowledge-proofs-using-bulletproofs-4a8e2579fc82Lovesh Harchandania552df74-7e67-4b0a-9e12-a75afc9235b8Sat, 9 Feb 2019 03:29:00 +0000https://www.ssi.gouv.fr/en/actualite/be-part-of-anssis-new-guide-to-develop-secure-applications-with-rust/ANSSIb6ca1619-6bdb-4efc-a043-ea73ed0e8336Thu, 7 Feb 2019 14:00:15 +0000https://research.kudelskisecurity.com/2019/02/07/auditing-rust-crypto-the-first-hours/https://research.kudelskisecurity.com/ba72d3fb-8f1e-4802-a55b-15dd8584046fFri, 1 Feb 2019 01:15:00 +0000https://sts10.github.io/2019/02/01/medic.htmlSam Schlinkert
I use a password manager called KeePassXC, so all of my passwords are stored in an encrypted file – a KeePass database – and I use a program called KeePassXC, a free and open-source password manager, to manage them (I wrote a beginner’s user guide to KeePassXC a while back if you’re interested!). So ideally, to check my passwords against the big list, I’d have a tool that checks all the passwords in a given KeePass database against the entire HaveIBeenPwned list of passwords, preferably against the downloaded file (i.e. “offline”), rather than the API. In other words something similar to 1Password’s Watchtower feature, but preferably offline.

After poking around a bit I decided to write it myself in Rust, with this script and this crate as useful references. Medic is a Rust CLI that can perform a variety of “health” checks on a KeePass database.]]>f333987d-a697-4e1c-8667-7d6bd4e765deWed, 30 Jan 2019 06:45:00 +0000https://edp.fortanix.com/Jethro Beekmane89d9e3f-1400-40ca-9e1c-d90817daf41eWed, 23 Jan 2019 15:00:57 +0000https://hacks.mozilla.org/2019/01/fearless-security-memory-safety/Diane Hosfelt84b2eb06-712b-4d63-b899-c91e16e1b0eeWed, 23 Jan 2019 12:18:11 +0000https://medium.com/@flundstrom2/manage-security-vulnerabilities-in-embedded-iot-devices-with-rust-14aeabada68bFredrik Lundström2785bcea-bff1-46c3-913b-87888f79133cFri, 18 Jan 2019 18:20:42 +0000https://medium.com/@shnatsel/security-as-rust-2019-goal-6a060116ba39Sergey Davidoff et al.01a84c85-f79f-42fa-9632-e3ee5f0f5b6eMon, 7 Jan 2019 00:00:00 +0000https://ayende.com/blog/185730-A/using-tls-with-rust-part-ii-client-authenticationAyende Rahien234e0c08-173d-431d-861b-3f4bbb214a6bWed, 2 Jan 2019 00:00:00 +0000https://ayende.com/blog/185698-A/using-tls-with-rust-part-iAyende Rahienaa59c999-cba6-4f20-80cc-888e8e257a73Wed, 19 Dec 2018 00:00:00 +0000https://blog.1aim.com/post/gbl-release/Jonas Schievink
The library implements a parser and writer for GBL firmware update containers, which are used to perform secure OTA updates for certain microcontrollers.]]>3f8f60fc-a917-4f77-98fb-f3d263cda7b3Mon, 10 Dec 2018 12:50:35 +0000https://sequoia-pgp.org/blog/2018/12/10/state-of-the-seedling-in-december/Justus Winter5d14453d-3a6f-4f26-8aa1-20edec9e9347Mon, 26 Nov 2018 09:08:17 +0000https://sequoia-pgp.org/blog/2018/11/26/initial-release/Neal H. Walfield, Justus Winter, and Kai Michaelisb612b468-7306-4f7b-a09a-2b4f0bac5b55Tue, 6 Nov 2018 00:00:00 +0000https://joshlf.com/post/2018/11/06/introducing-mundane/Joshua Liebow-Feeser2e26b090-21b9-42e2-9ac5-9664e79af88eFri, 28 Sep 2018 21:07:20 +0000https://medium.com/@hdevalence/merlin-flexible-composable-transcripts-for-zero-knowledge-proofs-28d9fda22d9aHenry de Valence385cdc5a-e6e0-4562-b9f3-156b296d6a03Fri, 28 Sep 2018 03:51:45 +0000https://medium.com/@shnatsel/how-ive-found-vulnerability-in-a-popular-rust-crate-and-you-can-too-3db081a67fbSergey "Shnatsel" Davidoff96405556-ac98-433a-a0f8-c3de068e47d3Tue, 25 Sep 2018 00:00:00 +0000https://brycx.github.io/2018/09/25/orion-pure-rust-crypto-lib.htmlbrycxe36be553-3461-4742-8127-2a41c9f54d93Fri, 21 Sep 2018 00:00:00 +0000https://blog.rust-lang.org/2018/09/21/Security-advisory-for-std.htmlThe Rust Core Team2fec1872-4519-4b08-8012-147db9dff5e0Thu, 13 Sep 2018 00:00:00 +0000https://matthewkmayer.github.io/blag/public/post/postgres-tls/Matthew Mayer's2e015136-8213-4fa3-afe0-78bf520d1da6Wed, 12 Sep 2018 23:35:55 +0000https://neosmart.net/blog/2018/transparent-encryption-and-decryption-in-rust-with-cryptostreams/Mahmoud Al-Qudsi
Enter the cryptostream crate. Released on github and on crates.io under the MIT public license, cryptostream finally provides an easy and transparent way to add encryption and decryption to pipelines involving objects implementing Read or Write, making encryption (or decryption) as easy as creating a new cryptostream object, passing in an existing Read/Write impl, and then reading/writing from/to the cryptostream instead.]]>7f4b6826-72f6-4842-882d-2a2e5378bdcdSat, 18 Aug 2018 02:47:33 +0000https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6Sergey "Shnatsel" Davidoff
That is, until you explicitly opt in to that kind of thing. Uh oh.]]>be4fb7bc-7b10-41ce-af58-e877d70fd73dMon, 13 Aug 2018 18:00:43 +0000http://www.pl-enthusiast.net/2018/08/13/security-programming-languages-issue/Michael Hicks31c9d3c0-192b-45f2-922e-5b8d188683bcThu, 9 Aug 2018 08:23:00 +0000https://sites.google.com/secured.org/malwareunicorn/xoriAmanda Rousseau and Rich Seymour8a924e9f-d803-4e85-b2e8-92b5909c7695Wed, 1 Aug 2018 17:41:42 +0000https://medium.com/@hdevalence/accelerating-edwards-curve-arithmetic-with-parallel-formulas-ac12cf5015beHenry de Valence
I implemented this strategy in Rust, targeting 256-bit wide AVX2 operations. The resulting implementation performs double-base scalar multiplication faster than other Ed25519 implementations I tested, and is even faster than FourQ without endomorphisms]]>db3cdc15-004b-4a41-9649-6ade4a8407ebThu, 19 Jul 2018 00:00:00 +0000https://rustsec.org/Rust Project Developers