Publish a list of security-related projects

Question

Publish a list of security-related projects

DevQps opened this issue 6 years ago · comments

Description

There are many great crates and projects out there that enhance or assess the security of the Rust ecosystem someway. However there is currently no central point from which these projects can be found and they are often linked through blog posts or interesting discussions on Zulip.

I think the README of this working group would be a great place to collect projects that can be of helping achieving our 2019 Working Group Goals (Kudo's for Shnatsel on writing this).

By doing this these projects would have more visibility and then can hopefully be used and improved to reach our goals.

I suggest that we leave this issue open for a week such that projects can be suggested. After that I can make a Pull Request that updates the README. Any projects that follow afterwards can then have a seperate PR.

Christian Vayne · Answer 1 · Sat Mar 16 2019 23:44:44 GMT+0800 (China Standard Time)

RustSec Advisory Database

Repository: https://github.com/RustSec/advisory-db/

Description:
The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via https://crates.io. Works closely with Cargo Audit.

Christian Vayne · Answer 2 · Sat Mar 16 2019 23:45:41 GMT+0800 (China Standard Time)

Cargo Audit

Repository: https://github.com/RustSec/cargo-audit

Description:
Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database.

Christian Vayne · Answer 3 · Sat Mar 16 2019 23:48:32 GMT+0800 (China Standard Time)

RustSec Advisory Client

Repository: https://github.com/RustSec/rustsec-crate

Description:
Client library for accessing the RustSec Security Advisory Database: fetches the advisory-db (or other compatible) git repository and audits Cargo.lock files against it. It is mainly used by Cargo Audit but may be useful if you would like to consume the RustSec advisory database in other capacities.

Christian Vayne · Answer 4 · Sat Mar 16 2019 23:54:25 GMT+0800 (China Standard Time)

Cargo Geiger

Repository: https://github.com/anderejd/cargo-geiger

Description:
A program that list statistics related to usage of unsafe Rust code in a Rust crate and all its dependencies.

Christian Vayne · Answer 5 · Sat Mar 16 2019 23:55:18 GMT+0800 (China Standard Time)

Cargo Fuzz

Repository: https://github.com/rust-fuzz/cargo-fuzz

Description:
Command-line wrapper for using libFuzzer. Easy to use, no need to recompile LLVM!

Christian Vayne · Answer 6 · Sun Mar 17 2019 00:43:38 GMT+0800 (China Standard Time)

Crates Audit

Repository: https://gitlab.com/zachreizner/crates-audit/

Description:
A tool to cross-reference the crates.io index with the RustSec Advisory database.

Christian Vayne · Answer 7 · Sun Mar 17 2019 01:18:59 GMT+0800 (China Standard Time)

The Update Framework in Rust

Repository: https://github.com/heartsucker/rust-tuf

Description:
A Rust implementation of The Update Framework.

Christian Vayne · Answer 8 · Mon Mar 18 2019 03:28:23 GMT+0800 (China Standard Time)

Cargo Crev

Repository: https://github.com/dpc/crev

Description:
crev is an code review system as opposed to typically practiced code-change review system.

Christian Vayne · Answer 9 · Mon Mar 18 2019 03:30:15 GMT+0800 (China Standard Time)

MIRAI

Repository: https://github.com/facebookexperimental/MIRAI

Description:
Mirai is an abstract interpreter for the Rust compiler's mid-level intermediate representation (MIR). It is intended to become a widely used static analysis tool for Rust.

Christian Vayne · Answer 10 · Mon Mar 18 2019 03:30:57 GMT+0800 (China Standard Time)

Cargo Clippy

Repository: https://github.com/rust-lang/rust-clippy

Description:
A collection of lints to catch common mistakes and improve your Rust code.

Christian Vayne · Answer 11 · Mon Mar 18 2019 03:31:37 GMT+0800 (China Standard Time)

MIRI

Repository: https://github.com/rust-lang/miri

Description:
An experimental interpreter for Rust's mid-level intermediate representation (MIR). It can run binaries and test suites of cargo projects and detect certain classes of undefined behavior

Christian Vayne · Answer 12 · Mon Mar 18 2019 03:32:38 GMT+0800 (China Standard Time)

Libdiffuzz

Repository: https://github.com/Shnatsel/libdiffuzz

Description:
This is a drop-in replacement for OS memory allocator that can be used to detect uses of uninitialized memory. It is designed to be used in case Memory Sanitizer is not applicable for some reason.

Christian Vayne · Answer 13 · Mon Mar 18 2019 03:33:53 GMT+0800 (China Standard Time)

BugHunt, Rust

Repository: https://github.com/blt/bughunt-rust

Description:
This project is aiming to provide "stateful" QuickCheck models for Rust's standard library.

Christian Vayne · Answer 14 · Mon Mar 18 2019 03:34:45 GMT+0800 (China Standard Time)

Angora

Repository: https://github.com/AngoraFuzzer/Angora

Description:
Angora is a mutation-based coverage guided fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.

Christian Vayne · Answer 15 · Mon Mar 18 2019 03:35:29 GMT+0800 (China Standard Time)

honggfuzz-rs

Repository: https://github.com/rust-fuzz/honggfuzz-rs

Description:
A fuzzer developed by Google.

Christian Vayne · Answer 16 · Mon Mar 18 2019 03:36:20 GMT+0800 (China Standard Time)

afl.rs

Repository: https://github.com/rust-fuzz/afl.rs

Description:
Allows one to run the AFL fuzzer on code written in the Rust programming language.

Christian Vayne · Answer 17 · Mon Mar 18 2019 03:36:46 GMT+0800 (China Standard Time)

QuickCheck

Repository: https://github.com/BurntSushi/quickcheck

Description:
QuickCheck is a way to do property based testing using randomly generated input.

Christian Vayne · Answer 18 · Mon Mar 18 2019 03:37:06 GMT+0800 (China Standard Time)

Proptest

Repository: https://github.com/altsysrq/proptest

Description:
Proptest is a property testing framework (i.e., the QuickCheck family) inspired by the Hypothesis framework for Python.

Vytautas Astrauskas · Answer 19 · Sun Mar 24 2019 20:43:27 GMT+0800 (China Standard Time)

Loom

Repository: https://github.com/carllerche/loom

Description:
Loom is a model checker for concurrent Rust code. It exhaustively explores the behaviors of code under the C11 memory model, which Rust inherits.

Johannes · Answer 20 · Mon Mar 25 2019 17:41:14 GMT+0800 (China Standard Time)

untrusted.rs

Repository: https://github.com/briansmith/untrusted

Description:
untrusted.rs allows for reliable and efficient parsing of untrusted inputs in Rust.

EDIT: On second thought, this might not be relevant to what the issue is about. I think I've misunderstood. I'll let @DevQps decide whether it's in scope or not.

Christian Vayne · Answer 21 · Mon Mar 25 2019 22:05:58 GMT+0800 (China Standard Time)

@brycx I think it can serve a purpose here! We'll just have to place it in the right category. Like "Utilities libraries for safe programming" or something like that.

With a bit of luck I will be able to create a Pull Request of this today or tomorrow!