Find the ideal fuzz targets in a Rust codebase

Related tags

Security tools rust fuzzing program-analysis security-testing
Overview

Siderophile

Siderophile finds the "most unsafe" functions in your Rust codebase, so you can fuzz them or refactor them out entirely. It checks the callgraph of each function in the codebase, estimates how many unsafe expressions are called in an evalutation of that function, then produces a list sorted by this value. Here's what Siderophile's output format looks like:

Badness  Function
    092  <myProject::myThing as my_project::myThing>::tempt_fate
    064  <myProject::myOtherThing::whatever as my_project::myThing>::defy_death
    [...]

"Badness" of a function is simply an approximation of how many unsafe expressions are evaluated during an evaluation of that function. For instance, marking unsafe functions with a *, suppose your function f calls functions g* and h. Furthermore, h calls i*. Then the badness of f is 2. Functions with high badness have a lot of opportunities to be memory unsafe.

Installation

Make sure that you have the following requirements:

  • rustup and cargo must be installed and in your PATH
  • LLVM 13 is required. Older versions may work (see https://crates.io/crates/llvm-ir) but require the llvm-ir package's features change in Cargo.toml before compiling Siderophile.

Then, run cargo build --release, and you'll have a Siderophile binary :)

How to use

Make sure that you followed the above steps, then do the following:

  1. cd to the root directory of the crate you want to analyze

  2. Run SIDEROPHILE_LOCATION/target/release/siderophile --crate-name CRATENAME, where CRATENAME is the name of the crate you want to analyze, and SIDEROPHILE_LOCATION is the location where you put the siderophile code (you know, normal running-rust-binary stuff).

Functions are written to stdout, ordered by their badness.

How it works

Siderophile extends cargo-geiger, whose goal is to find unsafety at the crate-level.

First, the callgraph is created by having cargo output the crate's bitcode, then parsing it to produce a callgraph and demangle the names into things that we can match with the source code.

Next, siderophile finds all the sources of the current crate, finds every Rust file in the sources, and parses each file individually using the syn crate. Each file is recursively combed through for unsafety occurring in functions, trait declarations, trait implementations, and submodules. siderophile will output the path of these objects, along with an indication of what type of syntactic block they were found in. The list received from this step contains every unsafe block in every dependency of the crate, regardless of whether it's used. To narrow this down, we need to compare siderophile's list to nodes in the callgraph of the crate.

Using the callgraph produced in the first step, we check which elements from the siderophile output are actually executed from the crate in question. This step (implemented in src/callgraph_matching) is not guaranteed to find everything, but it has shown good results against manual search. It is also not immune to false positives, although none have been found yet. The labels of the nodes that are found to be unsafe are used as input for the final step.

The final step is to trace these unsafe nodes in the callgraph. For each node in the list, siderophile will find every upstream node in the callgraph, and increment their badness by one, thus indicating that they use unsafety at some point in their execution. At the end of this process, all the nodes with nonzero badness are printed out, sorted in descending order by badness.

Limitations

Siderophile is not guaranteed to catch all the unsafety in a crate's deps. Since things are only tagged at a source-level, we do not have the ability to inspect macros or resolve dynamically dispatched methods. Accordingly, this tool should not be used to "prove" that a crate uses no unsafety.

Debugging

To get debugging output from siderophile, set the RUST_LOG environment variable to siderophile=XXX where XXX can be info, debug, or trace.

Thanks

To cargo-geiger and rust-praezi for current best practices. This project is mostly due to their work.

License

Siderophile is licensed and distributed under the AGPLv3 license. Contact us if you're looking for an exception to the terms.

Comments
  • Integration with cargo-audit/RustSec?

    Integration with cargo-audit/RustSec?

    cargo-audit is a utility which compares dependencies in Cargo.lock agains the RustSec Advisory Database. I've opened an issue proposing a potential integration with Siderophile here:

    https://github.com/RustSec/cargo-audit/issues/89

    Recently we published an advisory high severity but low exploitability vulnerability to the database which resulted in false positive alerts for many users. The issue linked above goes into details about why this is an interesting case of where a call graph analysis would've helped.

    We've done some work on collecting paths to affected vulnerabilities already to support this kind of analysis, and have the ability to collect this sort of information in advisories. Here's an example:

    https://github.com/RustSec/advisory-db/blob/a8e2ec8/crates/safe-transmute/RUSTSEC-2018-0013.toml#L21

    [affected_paths]
">= 0.4.0, <= 0.10.0"  = ["safe_transmute::guarded_transmute_vec_permissive"]
"= 0.10.0"             = ["safe_transmute::guarded_transmute_to_bytes_vec"]

    (sidebar: looking that again, it feels like we should swap these so the path is on the left and the impacted versions are on the right)

    What we need out of a call graph analysis tool is something that can both compute the call graph for --all-features, and then a way of testing if particular paths exist in the call graph. Compared to what Siderophile already does, this seems fairly simple.

    If this sounds like a good idea, I'm curious what you think the best way to integrate cargo-audit and Siderophile would be. Should we invoke it as a subprocess, or is there a way to use it as a library/crate dependency? Is there a particular crate we can use that provides the call graph analysis functionality in isolation?

    opened by tarcieri 14
  • Bump cargo from 0.61.0 to 0.63.1

    Bump cargo from 0.61.0 to 0.63.1

    Bumps cargo from 0.61.0 to 0.63.1.

    Commits
    • d39343d Auto merge of #10806 - ehuss:bump-cargo-util-stable-1.62, r=joshtriplett
    • 20e282b Auto merge of #10785 - ehuss:fix-dead_code-diag, r=Eh2406
    • 6dedcf8 Ignore invalid_target_empty test.
    • 524745d Bump cargo-util version.
    • a748cf5 Auto merge of #10737 - ehuss:revert-num-cpus, r=weihanglo
    • 0cfdbc0 [beta] Revert #10427: switch from num_cpus
    • 4751950 Auto merge of #10707 - ehuss:beta-backport, r=weihanglo
    • 735f2c8 Auto merge of #10677 - likzn:fix_publish_p, r=ehuss
    • 3f052d8 Auto merge of #10659 - Muscraft:prestabilization-inheritance-docs, r=epage
    • 6892cc3 pre-stabilization documentation for workspace inheritance
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 7
  • Bump syn from 1.0.99 to 1.0.100

    Bump syn from 1.0.99 to 1.0.100

    Bumps syn from 1.0.99 to 1.0.100.

    Release notes

    Sourced from syn's releases.

    1.0.100

    Commits
    • 3d01fc3 Release 1.0.100
    • 308d77b Merge pull request #1218 from dtolnay/variadiccomma
    • 9b589ba Fix printing of variadic extern fn with trailing comma
    • 42e9942 Allow multiple parenthesized path argument segments in the same path
    • ba6cd8e Merge pull request #1217 from dtolnay/typepathfnwithcoloncolon
    • 194c3d4 Insane syntax on feature="full" only
    • 6e09f2d Parse associated type on path with parenthesized generic arguments
    • 15c0075 Skip traversing into const params for precedence test
    • e3d6e7b Reorder GenericArgument::Const next to Type
    • be1b758 Merge pull request #1216 from dtolnay/anglebracketedorder
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 6
  • Bump syn from 1.0.88 to 1.0.89

    Bump syn from 1.0.88 to 1.0.89

    Bumps syn from 1.0.88 to 1.0.89.

    Release notes

    Sourced from syn's releases.

    1.0.89

    • Remove support for inner attributes on non-block expressions (#1146, rust-lang/rust#83312)
    • Fix panic on comma after mut self in a bare fn type (#1148)
    Commits
    • 8d4eb4c Release 1.0.89
    • 6daa474 Merge pull request #1148 from dtolnay/fnmutself
    • 4a3a83d Fix panic on comma after 'mut self' in bare fn type
    • 99510ff Add test of trailing comma after mut self
    • 9a66997 Update test suite to nightly-2022-03-16
    • be3238b Merge pull request #1146 from dtolnay/innerattr
    • fe5508b Remove support for inner attributes on non-block expressions
    • 1da3551 Revert "Parse inner attrs on structs, enums, unions, variants"
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot will merge this PR once CI passes on it, as requested by @smoelius.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 6
  • Bump syn from 1.0.87 to 1.0.88

    Bump syn from 1.0.87 to 1.0.88

    Bumps syn from 1.0.87 to 1.0.88.

    Release notes

    Sourced from syn's releases.

    1.0.88

    • Parse .. pattern in pattern of let (#1136)
    • Parse for<…> lifetime introducer on closures (#1135)
    • Reject postfix operators after cast (#1117)
    • Implement extra-traits for Nothing (#1144)
    Commits
    • fcaca36 Release 1.0.88
    • 531c56f Merge pull request #1144 from dtolnay/nothingtraits
    • f21ce8a Implement extra-traits for syn::parse::Nothing
    • 3f0cfc1 Merge pull request #1142 from dtolnay/castsuffix
    • 15ea927 Reject postfix operators after cast
    • 097b3a2 Add cast tests that should fail to parse
    • fd6f0bf Merge pull request #1141 from dtolnay/forclosure
    • c1ef9ed Parse for<…> lifetime introducer on closures
    • 5d1cd93 Merge pull request #1140 from dtolnay/letdotdot
    • c708999 Parse .. pattern in pattern of let
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 6
  • Bump cargo from 0.57.0 to 0.58.0

    Bump cargo from 0.57.0 to 0.58.0

    Bumps cargo from 0.57.0 to 0.58.0.

    Commits
    • b2e52d7 Auto merge of #9988 - ehuss:beta-git-fetch-force, r=alexcrichton
    • ffa597e Auto merge of #9979 - ehuss:git-fetch-force, r=alexcrichton
    • c7957a7 Auto merge of #9968 - ehuss:verbose-version, r=alexcrichton,Eh2406
    • 9f5da7c Add --verbose to bug report template.
    • 5a8be7b Add os to verbose version string.
    • c5318a1 Add some more information to verbose version.
    • dea587a Auto merge of #9938 - weihanglo:issue-9857, r=ehuss
    • ec38c84 Auto merge of #9943 - ehuss:stabilize-named-profiles, r=alexcrichton
    • 42035c7 Auto merge of #9963 - ehuss:update-git2, r=alexcrichton
    • ed2bfc2 Update git2
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 6
  • Bump quote from 1.0.18 to 1.0.21

    Bump quote from 1.0.18 to 1.0.21

    ⚠️ Dependabot is rebasing this PR ⚠️

    Rebasing might not happen immediately, so don't worry if this takes some time.

    Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

    Bumps quote from 1.0.18 to 1.0.21.

    Release notes

    Sourced from quote's releases.

    1.0.21

    • Add keywords to crates.io metadata

    1.0.20

    • Remove workaround for dealing with invalid spans on new enough compilers (#224, thanks @​mystor)
    • Use Ident::new_raw to quote raw identifiers (#225, thanks @​mystor)

    1.0.19

    • Improve the way rustc's -Zunpretty=expanded renders quote's expanded code (#221)
    Commits
    • 34d94b4 Release 1.0.21
    • 20a59fd Update keywords in crates.io metadata
    • ae25ab6 Change std imports to core where possible
    • fa923c4 Sort package entries in Cargo.toml
    • d196f95 Update ui test suite to nightly-2022-07-28
    • 29cc169 Update ui test suite to nightly-2022-07-20
    • 164493f Update ui test suite to nightly-2022-07-10
    • d84bcc3 Update ui test suite to nightly-2022-07-02
    • 8cf6d7b Use dtolnay/rust-toolchain's miri toolchain
    • 2a6da9b Update ui test suite to nightly-2022-06-26
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 4
  • Bump structopt from 0.3.12 to 0.3.15

    Bump structopt from 0.3.12 to 0.3.15

    Bumps structopt from 0.3.12 to 0.3.15.

    Changelog

    Sourced from structopt's changelog.

    v0.3.15 (2020-06-16)

    v0.3.14 (2020-04-22)

    • Minor documentation improvements.

    v0.3.13 (2020-04-9)

    • Bump proc-macro-error to 1.0.
    Commits
    • b1174e5 v0.3.15
    • 7e431cb Flattening a subcommand now panics with a meaningful error message
    • caa1455 Merge pull request #400 from TeXitoi/fix/matches-span
    • 83894e2 Some tweaks
    • 0a6bc51 Use proper span when generating matches token
    • f84e751 Remove unnecessary braces
    • 2b2d941 Fix first doc example for a practical one
    • 891b25a Update ui test to latest stable
    • 4759d50 Fix license in Cargo.toml
    • 203c6bc v0.3.14
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

    You can always request more updates by clicking Bump now in your Dependabot dashboard.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 4
  • Issue with rust-toolchain file

    Issue with rust-toolchain file

    My project has a rust-toolchain file in its root for a nightly toolchain, but ./setup.sh simply calls "cargo" so it built with a different version than my project. This lead to the following error when running analyze.sh.

    $ ~/src/siderophile/analyze.sh myapp
trawling source code of dependencies for unsafety
   Compiling libc v0.2.60

...


error[E0514]: found crate `cached` compiled by an incompatible version of rustc myapp                                   
  --> src/lib.rs:15:1
   |
15 | extern crate cached;
   | ^^^^^^^^^^^^^^^^^^^^
   |
   = help: please recompile that crate using this compiler (rustc 1.37.0-nightly (8aa42ed7c 2019-06-24))
   = note: the following crate versions were found:
           crate `cached` compiled by rustc 1.36.0 (a53f9df32 2019-07-03): ~/src/myapp/target/debug/deps/libcached-b5e2b19b56d13d52.rmeta

error: aborting due to previous error

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Cargo("Could not compile `myapp`.")', src/libcore/result.rs:1051:5
stack backtrace:
   0: std::panicking::default_hook::{{closure}}
   1: std::panicking::default_hook
   2: std::panicking::rust_panic_with_hook
   3: std::panicking::continue_panic_fmt
   4: rust_begin_unwind
   5: core::panicking::panic_fmt
   6: core::result::unwrap_failed
   7: siderophile::main
   8: std::rt::lang_start::{{closure}}
   9: std::panicking::try::do_call
  10: __rust_maybe_catch_panic
  11: std::rt::lang_start_internal
  12: main

    To fix this problem, I had to build and run siderophile with the correct toolchain selected.

    cd ~/src/siderophile
RUSTUP_TOOLCHAIN=$(cat ~/src/myapp/rust-toolchain) cargo build --release

    $ cd ~/src/myapp
$ RUSTUP_TOOLCHAIN=$(cat rust-toolchain) ~/src/siderophile/analyze.sh myapp

trawling source code of dependencies for unsafety
   Compiling libc v0.2.60
...
generating LLVM bitcode for the callgraph
...

    A note about this should probably be added to the readme.

    bug 
    opened by WyseNynja 4
  • Bump env_logger from 0.9.0 to 0.9.1

    Bump env_logger from 0.9.0 to 0.9.1

    Bumps env_logger from 0.9.0 to 0.9.1.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 3
  • Bump crossbeam-utils from 0.8.5 to 0.8.8

    Bump crossbeam-utils from 0.8.5 to 0.8.8

    Bumps crossbeam-utils from 0.8.5 to 0.8.8.

    Release notes

    Sourced from crossbeam-utils's releases.

    crossbeam-utils 0.8.8

    • Fix a bug when unstable loom support is enabled. (#787)

    crossbeam-utils 0.8.7

    • Add AtomicCell<{i*,u*}>::{fetch_max,fetch_min}. (#785)
    • Add AtomicCell<{i*,u*,bool}>::fetch_nand. (#785)
    • Fix unsoundness of AtomicCell<{i,u}64> arithmetics on 32-bit targets that support Atomic{I,U}64 (#781)

    crossbeam-utils 0.8.6

    • Re-add AtomicCell<{i,u}64>::{fetch_add,fetch_sub,fetch_and,fetch_or,fetch_xor} that were accidentally removed in 0.8.0 0.7.1 on targets that do not support Atomic{I,U}64. (#767)
    • Re-add AtomicCell<{i,u}128>::{fetch_add,fetch_sub,fetch_and,fetch_or,fetch_xor} that were accidentally removed in 0.8.0 0.7.1. (#767)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot will merge this PR once CI passes on it, as requested by @smoelius.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
    dependencies 
    opened by dependabot[bot] 3
  • Bump syn from 1.0.103 to 1.0.107

    Bump syn from 1.0.103 to 1.0.107

    Bumps syn from 1.0.103 to 1.0.107.

    Release notes

    Sourced from syn's releases.

    1.0.106

    • Documentation improvements

    1.0.105

    • Improve parse errors related to dyn and impl type syntax (#1245)

    1.0.104

    • Add PathArguments::is_none()
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Bump anyhow from 1.0.66 to 1.0.68

    Bump anyhow from 1.0.66 to 1.0.68

    Bumps anyhow from 1.0.66 to 1.0.68.

    Release notes

    Sourced from anyhow's releases.

    1.0.67

    • Improve the backtrace captured when context() is used on an Option (#280)
    Commits
    • 867763b Release 1.0.68
    • c0a87d0 Opt out -Zrustdoc-scrape-examples on docs.rs
    • 1cc707b Release 1.0.67
    • 613b261 Update build status badge
    • 0f922d7 Disable backtrace CI on Rust 1.50
    • acecd9b Update ui test suite to nightly-2022-12-15
    • 0bac51f Time out workflows after 45 minutes
    • 60e8800 Fix renamed let_underscore_drop lint
    • 8d1c734 Update ui test suite to nightly-2022-11-16
    • 451651b Update ui test suite to nightly-2022-11-11
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Bump quote from 1.0.21 to 1.0.23

    Bump quote from 1.0.21 to 1.0.23

    Bumps quote from 1.0.21 to 1.0.23.

    Release notes

    Sourced from quote's releases.

    1.0.22

    • Documentation improvements
    Commits
    • 550af67 Release 1.0.23
    • b0337d0 Opt out -Zrustdoc-scrape-examples on docs.rs
    • 2386c5a Release 1.0.22
    • ead304a Update build status badge
    • 51d3bd2 Update ui test suite to nightly-2022-12-15
    • 2922a8e Time out workflows after 45 minutes
    • 6f42f3c Fix renamed let_underscore_drop lint
    • b2e30cc MIT copyright line
    • efc9b69 Ui test changes for trybuild 1.0.66
    • 1e2b198 Raise minimum tested toolchain to rust 1.56
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Bump cargo from 0.66.0 to 0.67.0

    Bump cargo from 0.66.0 to 0.67.0

    Bumps cargo from 0.66.0 to 0.67.0.

    Commits
    • d65d197 Auto merge of #11381 - ehuss:beta-fix-safe-directory, r=weihanglo
    • 4d1d2b2 Auto merge of #11335 - ehuss:space-test, r=epage
    • e3daada Auto merge of #11332 - weihanglo:fix-semver-check, r=Muscraft
    • 6774bc1 Auto merge of #11366 - ehuss:fix-safe-directory, r=epage
    • 7e484fc Auto merge of #11062 - epage:wait, r=weihanglo
    • 1985caf Auto merge of #11292 - arlosi:compression, r=epage
    • 1c1e9a6 Auto merge of #11294 - ehuss:highfive-docs, r=weihanglo
    • cf38262 Update contrib docs for highfive transition
    • 1cb94b0 Auto merge of #11293 - ehuss:highfive-triagebot, r=Mark-Simulacrum
    • 1945b44 Auto merge of #11287 - Rageking8:fix-dupe-word-typos, r=weihanglo
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Bump actions/checkout from 2 to 3

    Bump actions/checkout from 2 to 3

    Bumps actions/checkout from 2 to 3.

    Release notes

    Sourced from actions/checkout's releases.

    v3.0.0

    • Updated to the node16 runtime by default
      • This requires a minimum Actions Runner version of v2.285.0 to run, which is by default available in GHES 3.4 or later.

    v2.5.0

    What's Changed

    Full Changelog: https://github.com/actions/checkout/compare/v2...v2.5.0

    v2.4.2

    What's Changed

    Full Changelog: https://github.com/actions/checkout/compare/v2...v2.4.2

    v2.4.1

    • Fixed an issue where checkout failed to run in container jobs due to the new git setting safe.directory

    v2.4.0

    • Convert SSH URLs like org-<ORG_ID>@github.com: to https://github.com/ - pr

    v2.3.5

    Update dependencies

    v2.3.4

    v2.3.3

    v2.3.2

    Add Third Party License Information to Dist Files

    v2.3.1

    Fix default branch resolution for .wiki and when using SSH

    v2.3.0

    Fallback to the default branch

    v2.2.0

    Fetch all history for all tags and branches when fetch-depth=0

    v2.1.1

    Changes to support GHES (here and here)

    ... (truncated)

    Changelog

    Sourced from actions/checkout's changelog.

    Changelog

    v3.1.0

    v3.0.2

    v3.0.1

    v3.0.0

    v2.3.1

    v2.3.0

    v2.2.0

    v2.1.1

    • Changes to support GHES (here and here)

    v2.1.0

    v2.0.0

    Commits

    Dependabot compatibility score

    You can trigger a rebase of this PR by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
Releases(v0.2.1)

  • v0.2.1(Sep 22, 2022)

  • v0.2.0(Sep 22, 2022)

    What's Changed

    • Bump quote from 1.0.10 to 1.0.14 by @dependabot in https://github.com/trailofbits/siderophile/pull/160
    • Bump cargo from 0.58.0 to 0.59.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/161
    • Bump tempfile from 3.2.0 to 3.3.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/162
    • Bump anyhow from 1.0.51 to 1.0.52 by @dependabot in https://github.com/trailofbits/siderophile/pull/163
    • Bump syn from 1.0.82 to 1.0.85 by @dependabot in https://github.com/trailofbits/siderophile/pull/164
    • Bump structopt from 0.3.25 to 0.3.26 by @dependabot in https://github.com/trailofbits/siderophile/pull/165
    • Bump syn from 1.0.85 to 1.0.86 by @dependabot in https://github.com/trailofbits/siderophile/pull/166
    • Bump quote from 1.0.14 to 1.0.15 by @dependabot in https://github.com/trailofbits/siderophile/pull/168
    • Bump anyhow from 1.0.52 to 1.0.53 by @dependabot in https://github.com/trailofbits/siderophile/pull/167
    • Bump anyhow from 1.0.53 to 1.0.54 by @dependabot in https://github.com/trailofbits/siderophile/pull/169
    • Bump anyhow from 1.0.54 to 1.0.55 by @dependabot in https://github.com/trailofbits/siderophile/pull/170
    • Bump cargo from 0.59.0 to 0.60.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/172
    • Bump anyhow from 1.0.55 to 1.0.56 by @dependabot in https://github.com/trailofbits/siderophile/pull/173
    • Bump regex from 1.5.4 to 1.5.5 by @dependabot in https://github.com/trailofbits/siderophile/pull/174
    • Bump syn from 1.0.86 to 1.0.87 by @dependabot in https://github.com/trailofbits/siderophile/pull/175
    • Bump syn from 1.0.87 to 1.0.88 by @dependabot in https://github.com/trailofbits/siderophile/pull/176
    • Bump syn from 1.0.88 to 1.0.89 by @dependabot in https://github.com/trailofbits/siderophile/pull/177
    • Bump quote from 1.0.15 to 1.0.16 by @dependabot in https://github.com/trailofbits/siderophile/pull/178
    • Bump log from 0.4.14 to 0.4.15 by @dependabot in https://github.com/trailofbits/siderophile/pull/179
    • Bump log from 0.4.15 to 0.4.16 by @dependabot in https://github.com/trailofbits/siderophile/pull/180
    • Bump quote from 1.0.16 to 1.0.17 by @dependabot in https://github.com/trailofbits/siderophile/pull/181
    • Bump syn from 1.0.89 to 1.0.91 by @dependabot in https://github.com/trailofbits/siderophile/pull/183
    • Bump cargo from 0.60.0 to 0.61.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/184
    • Bump quote from 1.0.17 to 1.0.18 by @dependabot in https://github.com/trailofbits/siderophile/pull/185
    • Cargo: bump llvm-ir by @woodruffw in https://github.com/trailofbits/siderophile/pull/211
    • Bump syn from 1.0.99 to 1.0.100 by @dependabot in https://github.com/trailofbits/siderophile/pull/213
    • Bump env_logger from 0.9.0 to 0.9.1 by @dependabot in https://github.com/trailofbits/siderophile/pull/212
    • Bump cargo from 0.61.0 to 0.63.1 by @dependabot in https://github.com/trailofbits/siderophile/pull/200
    • Bump cargo-util from 0.1.2 to 0.2.1 by @dependabot in https://github.com/trailofbits/siderophile/pull/206
    • Bump cargo from 0.63.1 to 0.64.0 by @dependabot in https://github.com/trailofbits/siderophile/pull/214

    Full Changelog: https://github.com/trailofbits/siderophile/compare/v0.1.4...v0.2.0

    Source code(tar.gz)
    Source code(zip)

  • v0.1.4(Dec 8, 2021)

  • v0.1.3(Aug 26, 2021)

  • v0.1.2(Aug 25, 2021)

  • v0.1.1(Feb 23, 2021)

  • v0.1.0(Feb 22, 2021)

Owner
Trail of Bits
More code: binary lifters @lifting-bits, blockchain @crytic
Trail of Bits
GitHub https://blog.trailofbits.com/2019/07/01/siderophile-expose-your-crates-unsafety/
Fuzzer to automatically find side-channel (timing) vulnerabilities

SideFuzz: Fuzzing for side-channel vulnerabilities SideFuzz is an adaptive fuzzer that uses a genetic-algorithm optimizer in combination with t-statis

Patrick Hayes 94 Sep 29, 2022
🕵️‍♀️ Find, locate, and query files for ops and security experts ⚡️⚡️⚡️

Recon Find, locate, and query files for ops and security experts Key Features • How To Use • Download • Contributing • License Key Features Query with

Rusty Ferris Club 11 Dec 16, 2022
Detects usage of unsafe Rust in a Rust crate and its dependencies.

cargo-geiger ☢️ Looking for maintainer: https://github.com/rust-secure-code/cargo-geiger/issues/210 A program that lists statistics related to the usa

Rust Secure Code Working Group 1.1k Jan 4, 2023
An esoteric language/compiler written with Rust and Rust LLVM bindings

MeidoLang (メイドラング) A not so useful and esoteric language. The goal of this project was to contain some quirky or novel syntax in a stack-style program

null 0 Dec 24, 2021
Rust-verification-tools - RVT is a collection of tools/libraries to support both static and dynamic verification of Rust programs.

Rust verification tools This is a collection of tools/libraries to support both static and dynamic verification of Rust programs. We see static verifi

null 253 Dec 31, 2022
Rust bindings for libinjection

libinjection-rs Rust bindings for libinjection. How to use Add libinjection to dependencies of Cargo.toml: libinjection = "0.2" Import crate: extern c

ArvanCloud 35 Sep 24, 2022
A simple password manager written in Rust

ripasso A simple password manager written in Rust. The root crate ripasso is a library for accessing and decrypting passwords stored in pass format (G

Joakim Lundborg 548 Dec 26, 2022
tcp connection hijacker, rust rewrite of shijack

rshijack tcp connection hijacker, rust rewrite of shijack from 2001. This was written for TAMUctf 2018, brick house 100. The target was a telnet serve

null 377 Jan 1, 2023
A fast, simple, recursive content discovery tool written in Rust.

A simple, fast, recursive content discovery tool written in Rust ?? Releases ✨ Example Usage ✨ Contributing ✨ Documentation ?? ?? What the heck is a f

epi 3.6k Dec 30, 2022
link is a command and control framework written in rust

link link is a command and control framework written in rust. Currently in alpha. Table of Contents Introduction Features Feedback Build Process Ackno

null 427 Dec 24, 2022
CVEs for the Rust standard library

Rust CVE Preface This is a list of CVEs for unsound APIs in the Rust standard library. These bugs break Rust's memory safety guarantee and lead to sec

Yechan Bae 26 Dec 4, 2022
Rust bindings for VirusTotal/Yara

yara-rust Bindings for the Yara library from VirusTotal. More documentation can be found on the Yara's documentation. Example The implementation is in

null 43 Dec 17, 2022
Rust library for building and running BPF/eBPF modules

RedBPF A Rust eBPF toolchain. Overview The redbpf project is a collection of tools and libraries to build eBPF programs using Rust. It includes: redbp

foniod 1.5k Jan 1, 2023
Rust library for developing safe canisters.

IC Kit This library provides an alternative to ic-cdk that can help developers write canisters and unit test them in their Rust code. Install Add this

Psychedelic 26 Nov 28, 2022
MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust.

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust. MimiRust is a program based on the wdigest attack vector

Thotty 0 Nov 29, 2022
simple multi-threaded port scanner written in rust

knockson simple multi-threaded port scanner written in rust Install Using AUR https://aur.archlinux.org/packages/knockson-bin/ yay -Syu knockson-bin M

Josh Münte 4 Oct 5, 2022
Rust TLS/SSL certificate expiration date from command-line checker

Rust TLS/SSL certificate expiration date from command-line checker

Jose Bovet Derpich 9 Nov 9, 2022
Lightweight slowloris (HTTP DoS) implementation in Rust.

slowlorust Lightweight slowloris (HTTP DoS) implementation in Rust. Slowloris is a denial-of-service attack program which allows an attacker to overwh

Michael Van Leeuwen 6 Sep 29, 2022
A simple port scanner built using rust-lang

A simple port scanner built using rust-lang

Krisna Pranav 1 Nov 6, 2021