security
Our great sponsors
bad_actor_poc | security | |
---|---|---|
12 | 2 | |
322 | 4 | |
- | - | |
0.0 | 0.0 | |
almost 3 years ago | about 3 years ago | |
Rust | ||
MIT License | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
bad_actor_poc
-
Why is `const fn` different from other “const” things?
I'm not suggesting people in this thread are wrong, but working for a security company gives a slightly different perspective. For example, there's really nothing stopping a rogue crate from exporting your private keys, just by using VS code. I wasn't thinking about this when I helped write that proposal, though.
- Did somebody play around with macros yet?
-
todo-or-die!
Having less tools that can do things like https://github.com/lucky/bad_actor_poc is a relief.
-
Workspace Trust in VS Code
Code execution that may not be so obvious could be the preLaunchTask that runs before starting the app and can run a build that has an extra task executing arbitrary code unrelated to the build. What about the npm module that steals your crypto wallet private keys? Make a simple edit and a malicious linter is loaded from the node_modules folder, instead of the one that is installed globally. Even reading the code can be deceptive, attackers can use Unicode hacks to hide malicious code in plain sight. Heck, you don't even have to open any source code to be owned.
- lucky/bad_actor_poc - Stealing secrets with Rust Macros proof-of-concept via VSCode: This shows a trivial example of exfiltrating secrets just by the developer opening up the source
- Visual Studio Code May 2021
-
Carnet: A Tool for Sandboxing Cargo and Buildscripts
https://github.com/lucky/bad_actor_poc is one example
-
Fixated on end-user security, FOSS developers neglect their own...
It turns out that because Rust can execute code at compile time, simply opening a Rust source file in an editor with code completion support can cause a virus to be installed on my computer. Apparently I can't trust anything but basic text editors anymore...
- Using Rust Macros to exfiltrate secrets
security
-
Fixated on end-user security, FOSS developers neglect their own...
I can't trust language package managers either, especially non-mainstream ones... Nim package manager used to not validate secure connections by default until very recently. Lazarus doesn't even use a secure protocol (uses http://, not https://). Chicken Scheme doesn't either. It's time for a new mantra "don't roll your own software downloaders" to complement "don't roll your own crypto"...
-
Could this plan to save free CIs from crypto miners work? It would also improve open-source security in general.
Because despite all the talk about "SuPpLy ChAiN aTtAcKs" people still do things like intentionally not verifying HTTPS certificates... I swear, we should just start saying "don't roll your own software downloader" as often as we say "don't roll your own crypto", and leave writing software downloaders to security professionals...
What are some alternatives?
language - Design of the Dart language
lazarus - Lazarus - an IDE and GUI toolkit for use with Free Pascal. This is an unofficial mirror of the Lazarus SubVersion repository and is for convenience use only. It is synced every 15 minutes. For submitting patches or bug reports, go to http://bugs.freepascal.org
carnet - A Tool for Sandboxing Cargo and Buildscripts
Elm - Compiler for Elm, a functional language for reliable webapps.
Visual Studio Code - Visual Studio Code
macro_prototype - A very basic prototype of macros using build_runner
code-it-later-rs - Filter crumbs you left in comments of code to remind where you were
const-eval - home for proposals in and around compile-time function evaluation
todo_or_die - Write TODOs in code that ensure you actually do them
rfcs - RFCs for changes to Rust
sdk - The Dart SDK, including the VM, dart2js, core libraries, and more.