jameysharp opened PR #8488 from jameysharp:no-vet-fuzzers
to bytecodealliance:main
:
We can't meaningfully audit the other WebAssembly implementations that we use for differential fuzzing, such as wasmi and especially v8. Let's acknowledge that the effort to do so is not practical for us, and focus our vetting efforts on crates that developers and users are more likely to build.
This reduces our estimated audit backlog by over three million lines, according to
cargo vet suggest
.Note that our crates which depend on those engines, such as wasmtime-fuzzing, are not published to crates.io, so if we fall victim to a supply chain attack against dependencies of these crates, the folks who might be impacted are limited.
Although there is value in also auditing code that might be run by people who clone our git repository, in this case I propose that anyone who is concerned about the risks of supply chain attacks against their development systems should be running fuzzers inside a sandbox. After all, it's a fuzzer: it's specifically designed to try to do anything.
I'd like to especially seek comment from folks who've expressed interest in our use of cargo-vet, like @alexcrichton, @bholley, @cfallin, and @tschneidereit. I'm open to being persuaded that we shouldn't make this change, but I can't currently see that we get any value from auditing these particular dependencies.
jameysharp requested alexcrichton for a review on PR #8488.
jameysharp requested wasmtime-default-reviewers for a review on PR #8488.
jameysharp updated PR #8488.
alexcrichton submitted PR review:
I think this is a reasonable change to make yeah, we already don't vet these dependencies much and reducing our backlog seems reasonable to me
fitzgen commented on PR #8488:
Makes sense to me too.
tschneidereit commented on PR #8488:
Same for me, yeah. It'd be good to have this mentioned somewhere in documentation people running fuzzing would be likely to see
jameysharp commented on PR #8488:
It'd be good to have this mentioned somewhere in documentation people running fuzzing would be likely to see
Good point. I'll add some text to
fuzz/README.md
anddocs/contributing-fuzzing.md
to this PR before merging it. I'm not sure we have anywhere else that anyone is likely to notice.Also, do we have text somewhere that I should update describing our cargo-vet policy?
jameysharp requested elliottt for a review on PR #8488.
jameysharp requested wasmtime-fuzz-reviewers for a review on PR #8488.
jameysharp updated PR #8488.
jameysharp commented on PR #8488:
I've pushed some new text for
fuzz/README.md
. @tschneidereit, does this text work for you?I considered adding text to
docs/contributing-fuzzing.md
but it's really about developing fuzz targets. For people who just want to run them it points tofuzz/README.md
, so I think the notice above suffices.I also considered adding text to
docs/contributing-coding-guidelines.md
, where we talk aboutcargo vet
, but couldn't decide if there's anything that would be useful to say there.Finally, I considered trying to make suggestions about sandboxes people could try, and got as far as verifying that
cargo fuzz run
works underunshare --map-current-user --net --ipc --mount
on Linux (but not with--pid
for some reason). But then I remembered that I don't want to be in the business of recommending security tools.
github-actions[bot] commented on PR #8488:
Subscribe to Label Action
cc @fitzgen
<details>
This issue or pull request has been labeled: "fuzzing"Thus the following users have been cc'd because of the following labels:
- fitzgen: fuzzing
To subscribe or unsubscribe from this label, edit the <code>.github/subscribe-to-label.json</code> configuration file.
Learn more.
</details>
alexcrichton commented on PR #8488:
I think this is pretty reasonable so I'm gonna go ahead and flag for merge given the consensus here. @tschneidereit if you've got further thoughts though on the docs though we can always have follow-ups too
alexcrichton merged PR #8488.
tschneidereit commented on PR #8488:
Thank you for doing this, @jameysharp! I agree that these doc changes are good, and also with your reasoning for not making other doc changes :)
Last updated: Dec 23 2024 at 12:05 UTC