Rust Security Checklist
https://anssi-fr.github.io/rust-guide/checklist.html
Development environment:
-
Use a stable compilation toolchain (DENV-STABLE) -
Keep default values for critical variables in cargo profiles (DENV-CARGO-OPTS) -
Keep default values for compiler environment variables when running cargo (DENV-CARGO-ENVVARS) -
Use linter regularly (DENV-LINTER) -
Use Rust formatter (rustfmt) (DENV-FORMAT) -
Manually check automatic fixes (DENV-AUTOFIX)
Libraries:
-
Check for outdated dependencies versions (cargo-outdated) (LIBS-OUTDATED) -
Check for security vulnerabilities report on dependencies (cargo-audit) (LIBS-AUDIT) -
Check for unsafe code in dependencies (LIBS-UNSAFE)
Language generalities:
-
Respect naming conventions (LANG-NAMING) -
Don't use unsafe blocks (LANG-UNSAFE) -
Use appropriate arithmetic operations regarding potential overflows (LANG-ARITH) -
Implement custom Error type, wrapping all possible errors (LANG-ERRWRAP) -
Use the ? operator and do not use the try! macro (LANG-ERRDO) -
Don't use functions that can cause panic! (LANG-NOPANIC) -
Test properly array indexing or use the get method (LANG-ARRINDEXING) -
Handle correctly panic! in FFI (LANG-FFIPANIC)
Memory management:
-
Do not use forget (MEM-FORGET) -
Use clippy lint to detect use of forget (MEM-FORGET-LINT) -
Do not leak memory (MEM-LEAK) -
Do release value wrapped in ManuallyDrop (MEM-MANUALLYDROP) -
Always call from_raw on into_rawed value (MEM-INTOFROMRAW) -
Do not use uninitialized memory (MEM-UNINIT) -
Zero out memory of sensitive data after use (MEM-ZERO)
Type system:
-
Justify Drop implementation (LANG-DROP) -
Do not panic in Drop implementation (LANG-DROP-NO-PANIC) -
Do not allow cycles of reference-counted Drop (LANG-DROP-NO-CYCLE) -
Do not rely only on Drop to ensure security (LANG-DROP-SEC) -
Justify Send and Sync implementation (LANG-SYNC-TRAITS) -
Respect the invariants of standard comparison traits (LANG-CMP-INV) -
Use the default method implementation of standard comparison traits (LANG-CMP-DEFAULTS) -
Derive comparison traits when possible (LANG-CMP-DERIVE)
Foreign Function Interface:
-
Use only C-compatible types in FFI (FFI-CTYPE) -
Use consistent types at FFI boundaries (FFI-TCONS) -
Use automatic binding generator tools (FFI-AUTOMATE) -
Use portable aliases c_* when binding to platform-dependent types (FFI-PFTYPE) -
Do not use unchecked non-robust foreign values (FFI-CKNONROBUST) -
Check foreign values in Rust (FFI-CKINRUST) -
Do not use reference types but pointer types (FFI-NOREF) -
Do not use unchecked foreign references (FFI-CKREF) -
Check foreign pointers (FFI-CKPTR) -
Mark function pointer types in FFI as extern and unsafe (FFI-MARKEDFUNPTR) -
Check foreign function pointers (FFI-CKFUNPTR) -
Do not use incoming Rust enum at FFI boundary (FFI-NOENUM) -
Use dedicated Rust types for foreign opaque types (FFI-R-OPAQUE) -
Use incomplete C/C++ struct pointers to make type opaque (FFI-C-OPAQUE) -
Do not use types that implement Drop at FFI boundary (FFI-MEM-NODROP) -
Ensure clear data ownership in FFI (FFI-MEM-OWNER) -
Wrap foreign data in memory releasing wrapper (FFI-MEM-WRAPPING) -
Handle panic! correctly in FFI (FFI-NOPANIC) -
Provide safe wrapping to foreign library (FFI-SAFEWRAPPING) -
Expose dedicated C-compatible API only (FFI-CAPI)
Edited by John Moon