Area: security updates

When running Rust binaries, you do not get automatic security updates. Rust binaries are statically linked, so you cannot not get a shared library update through the usual channels to mitigate the exploit. Nothing will inform you about the exploit or nag you to update. There is no way to even tell if you’re running a Rust binary with known security vulnerabilities because the list of libraries that went into creation of a binary is not preserved.

RustSec maintains a Rust security vulnerability database, so machine-readable information about known vulnerabilities exists.

https://github.com/RustSec/cargo-audit can inspect your Cargo.lock for known vulnerable dependency versions. The catch is that you need to run it manually, and nobody has the time to run it on checked out versions of their source code every day. Not to mention that the source code does not necessarily correspond to the binaries deployed in production.

https://github.com/Shnatsel/rust-audit is a very much proof-of-concept tool written by me. It embeds Cargo.lock into the compiled binary and provides a tool to extract it; it can be then fed to cargo-audit to audit the binary for vulnerable dependencies. It is not ready to use as-is, and for this concept to work this needs to be enabled by default in all Cargo builds except WASM and embedded platforms.

https://gitlab.com/zachreizner/crates-audit/ inspects crates.io for crates with dependencies without a semver-compatible upgrade path to mitigate the exploit. Pretty much nobody has heard of it; crates.io does not report presence of known vulnerabilities in dependencies. It has configurable output format; html output of a recent run can be found at https://crates.rustsec.org/

Other pieces of the puzzle such as regularly scanning binaries pulled via cargo install for vulnerable versions, alerting the user to the vulnerabilities or automatically installing security updates that people have come to expect on Linux for the past 20 years are missing entirely.

This will become even more critical once async/await lands and people start building lots of network-facing programs in Rust.