The Rust Foundation has released a new report on recent initiatives including its Security Initiative. The Foundation is a nonprofit organization dedicated to supporting and sustaining the Rust programming language, and the Security Initiative aims to advance the state of security within the Rust programming language ecosystem.

The Foundation announced the security initiative in 2022 with support from OpenSSF's Alpha-Omega project and Rust Foundation Platinum Member, AWS.

The latest report, published today the opening day of RustConf 2024, which is being hosted for the first time by the Rust Foundation in Montreal, says the foundation is making "considerable progress" on a complete security audit of the Rust ecosystem. Several threat models have been completed to illustrate the risks identified by the audit, and several new tools have been developed to improve security workflows by Rust maintainers.

The foundation is investigating the development of a Public Key Infrastructure (PKI) model for the Rust language, including the design and implementation for a PKI CA and a resilient Quorum model for the project to implement, and the report says that language updates suggested by members of the Project were nearly ready for implementation.

Following the XZ backdoor vulnerability, the Security Initiative has focused on supply chain security, including work on provenance-tracking, verifying that a given crate is actually associated with the repository it claims to be. The top 5,000 crates by download count have been checked and verified.

Threat modeling has now been completed on the Crates ecosystem. Rust Infrastructure, crates.io and the Rust Project.

Two open source security tools, Painter and Typomania, have been developed and released. Painter can be used to build a graph database of dependencies and invocations between all crates within the crates.io ecosystem, including the ability to obtain 'unsafe' statistics, better call graph pruning, and FFI boundary mapping. Typomania ports typogard to Rust, and can be used to detect potential typosquatting as a reusable library that can be adapted to any registry.

There have also been "crates.io technical debt reduction & API token improvements".  crates.io is the official Rust package registry, and improvements include tighter management of crates.io admin privileges; enhancements to the reliability and speed of crates downloads; the migration of the crates.io test suite to async tests to make it easier to use async-only libraries in the test suite; and work on the remaining API calls to overcome performance issues.

In addition to the work on the Security Initiative, the Foundation has also been working on improving interoperability between Rust and C++, supported by a $1 million contribution from Google. The Foundation says that following "conversations with members of the Rust Project and existing players in Rust
interoperability", a summary and outline of this initial research is being developed, including a statement about current problems with the state of Rust-C++ interoperability and a list of short and long term goals for the initiative.

The report is available for download now. 

More Information

Rust Foundation Website

Related Articles

Google Donates $1M To Rust

Rust Foundation Establishes Security Team

New Initiative For Taking Open Source Software Security Seriously 

Facebook Open Source Joins Rust Foundation

Rust Team Announces Rust Foundation

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info