-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracking issue for proving soundness, preventing regressions, and documenting security ethos #61
Comments
Deny the `clippy::undocumented_unsafe_blocks` lint. Add SAFETY comments to some unsafe code, and add `#[allow(...)]` to the rest along with TODO comments to follow up. This is the first step of #61.
Deny the `clippy::undocumented_unsafe_blocks` lint. Add SAFETY comments to some unsafe code, and add `#[allow(...)]` to the rest along with TODO comments to follow up. This is the first step of #61.
Deny the `clippy::undocumented_unsafe_blocks` lint. Add SAFETY comments to some unsafe code, and add `#[allow(...)]` to the rest along with TODO comments to follow up. This is the first step of #61.
Once #61 is done, we'll forbid the `missing_safety_docs` and `undocumented_unsafe_blocks` Clippy lints to the root module. Until that happens, we forbid them as high in the module tree as possible.
In issue #716, @ijackson asked for a postmortem (my characterization) which I think would be useful as part of this effort. I think it's also important to look at how the CVE/RUSTSEC advisory and yanking for #716 affected many crates that depend on ahash (and probably other crates that depend on zerocopy), even though almost none of them had a real impact due to #716 since they weren't using the affected API in an affected way (AFAICT), but vulnerability scanning / advisory response software available to us isn't advanced enough to "see" that. The cost of these kinds of false-positive external impacts need to be accounted for in some way. I haven't seen this aspect mentioned elsewhere. |
We aim to make the following promise: zerocopy and any code produced by zerocopy-derive are sound on any supported toolchain/target, and will remain sound under any future compiler changes; in other words, this soundness is forwards-compatible.
This issue tracks all efforts related to proving that we uphold this guarantee, preventing regressions, documenting this guarantee, and ensuring that our documentation properly frames zerocopy's role in the broader Rust safety ecosystem.
As of this writing, there are a few known gaps:
trivial_bounds
feature to break our derives (#500).Safety comments
#429 tracks ensuring that each
unsafe
block is annotated with a safety comment that proves its soundness, and that these proofs are anchored only on guarantees made by the reference or stdlib docs.Strict provenance
#181 tracks abiding by "strict provenance", which is a model for pointer operations which is likely as strict as any future Rust memory model will be.
Formal modeling/verification
#378 tracks using formal modeling/verification tools to test or prove the correctness of some of our core algorithms.
Target architectures
Some target architectures have nonstandard semantics which may make some of our soundness arguments invalid. #383 tracks making it clear in our documentation that zerocopy may be unsound on architectures whose semantics fails to satisfy the guarantees provided by the Rust reference and stdlib docs.
Proc macro execution model
As described in #388, there are currently soundness holes in our custom derives. Some have been confirmed, and others have been hypothesized but not confirmed. This issue tracks identifying the remaining soundness holes and fixing them.
trivial_bounds
As described in #500, it may be possible to use the
trivial_bounds
feature to break our derives.Document our security "ethos"
#482 tracks documenting our security "ethos" - the approach we take to ensuring that our code is correct and secure.
Document our relationship to the Safe Transmute project
#480 tracks documenting the relationship between zerocopy and the Rust project's Safe Transmute project.
Use Safe Transmute in our custom derives (behind a feature flag)
#481 tracks allowing users to opt-in to our derives only supporting types which pass both our analysis and the analysis implemented by the (unstable)
BikeshedIntrinsicFrom
feature (the placeholder name for the analysis implemented by the Safe Transmute project).The text was updated successfully, but these errors were encountered: