Siderophile: Expose your Crate’s Unsafety

Today we released a tool, siderophile, that helps Rust developers find fuzzing targets in their codebases.

Siderophile trawls your crate’s dependencies and attempts to finds every unsafe function, expression, trait method, etc. It then traces these up the callgraph until it finds the function in your crate that uses the unsafety. It ranks the functions it finds in your crate by badness—the more unsafety a function makes use of, the higher its badness rating.

Siderophile ([ˈsidərəˌfīl]) – Having an affinity for metallic iron

We created Siderophile for an engagement where we were delivered a massive Rust codebase with a tight timeframe for review. We wanted to fuzz it but weren’t even sure where to start. So, we created a tool to determine which functions invoked the most unsafe behavior. We were able to speed up our bug discovery by automating the targeting process with siderophile. We’re now open-sourcing this tool so everyone can benefit from it!

Sample Output

Here is a sample of siderophile when run on molasses, a crate we’re building that fully implements the MLS cryptographic protocol:

Badness Function
    012 molasses::crypto::hash::HashFunction::hash_serializable
    005 molasses::crypto::hash::HashContext::feed_serializable
    003 molasses::utils::derive_node_values
    003 molasses::application::encrypt_application_message
    003 molasses::application::decrypt_application_message
    003 molasses::group_ctx::GroupContext::new_from_parts
    003 molasses::group_ctx::GroupContext::from_welcome
    003 molasses::group_ctx::GroupContext::update_transcript_hash
    003 molasses::group_ctx::GroupContext::update_tree_hash
    003 molasses::group_ctx::GroupContext::update_epoch_secrets
    003 molasses::group_ctx::GroupContext::apply_update    

As you can see, much of the unsafety comes from the serialization and crypto-heavy routines. We’ll be sure to fuzz this bad boy before it goes 1.0.


This is not guaranteed to catch all the unsafety in a crate’s deps. For instance, we don’t have the ability to inspect macros or resolve dynamically dispatched methods since unsafe tagging only occurs at a source-level. The ergonomics for the tool could be better, and we’ve already identified some incorrect behavior on certain crates. If you’re interested in helping out, please do! We are actively maintaining the project and have some issues written out.

Try it Out

Siderophile is on Github along with a better explanation of how it works and how to run the tool. You should run it on your Rust crate, and setup fuzzers for what it finds. Check it out!

Finally, thanks to cargo-geiger and rust-praezi for current best practices. This project is mostly due to their work.

*** This is a Security Bloggers Network syndicated blog from Trail of Bits Blog authored by JP Smith. Read the original post at: