# Rust Exploit Mitigations PG Roadmap for 2024 The Rust Exploit Mitigations Project Group investigates past, present, and future exploit mitigations, including hardware -assisted or -provided exploit mitigations, and how they apply to Rust and the Rust compiler. This Project Group aims to maintain and improve the existing, implement, and research new exploit mitigations for the Rust compiler, and help the Rust community to better understand those exploit mitigations and how they apply to Rust and the Rust compiler. # Goals Our goals in the short term are to eliminate or mitigate all critical instances of cross-language attacks in mixed-language binaries (also known as “mixed binaries”), add support for missing exploit mitigations, and organize and stabilize support for sanitizers in the Rust compiler (initially for tier 1 targets and best effort for other tiers). Our goals in the long term are to maintain and improve the existing, implement, and research new exploit mitigations for the Rust compiler. For this roadmap, we’ll focus on our short term goals in order of priority. ## Eliminate or mitigate all critical instances of cross-language attacks in mixed-language binaries As the industry continues to explore Rust adoption, [cross-language attacks](https://www.ndss-symposium.org/wp-content/uploads/2022-78-paper.pdf) in [mixed-language binaries](https://dl.acm.org/doi/pdf/10.1145/3418898) (also known as “mixed binaries”), and critically [the absence of support for forward-edge control flow protection in the Rust compiler](https://rcvalle.com/docs/rust-cfi-design-doc.pdf), are a major security concern when gradually migrating from C and C++ to Rust, and C or C++ and Rust -compiled code share the same virtual address space. Thus, all critical instances of cross-language attacks in mixed-language binaries must be eliminated or mitigated as a requirement for large-scale Rust adoption. This goal aims to: * Add support for (cross-language) forward-edge control flow protection to the Rust compiler. * Add (cross-language) LLVM CFI support to the Rust compiler. * Finish adding CFI support to the Rust Standard Library (i.e., Cargo build-std feature). * Finish fixing known issues. * Add (cross-language) LLVM KCFI support to the Rust compiler, as Rust was officially adopted by the Linux kernel as its second supported programming language. * Finish fixing known issues. ## Add support for missing exploit mitigations Exploit mitigations increase the difficulty to exploit vulnerabilities resulting from memory corruption and concurrency issues. The absence of support for some exploit mitigations in the Rust compiler may not only increase the risks when using Unsafe Rust, but also result in other instances of cross-language attacks in mixed-language binaries, and are also a security concern when adopting Rust. Thus, support for all missing exploit mitigations must be added to the Rust compiler for secure Rust adoption. This goal aims to: * Review previously-added support for exploit mitigations to the Rust compiler. * Improve the exploit mitigations documentation to include other operating systems and architectures (i.e., tier 1 targets). * Add support for forward-edge control flow protection to the Rust compiler (see previous goal). * Review the current state and add support for backward-edge control flow protection (e.g., shadow and safe stack) for missing tier 1 targets to the Rust compiler. ## Organize and stabilize support for sanitizers Sanitizers help with increasing the robustness and security of software and have been increasingly adopted as part of the software development life cycle. Even though the Rust programming language provides memory and thread safety guarantees, use of Unsafe Rust and foreign code in mixed-language binaries do not provide the same memory and thread safety guarantees. Thus, support for sanitizers must be added to the Rust compiler for secure Rust adoption. This goal aims to: * Review previously-added support for sanitizers to the Rust compiler. * Move and organize as much as possible of sanitizers source code into a compiler crate (i.e., rustc\_sanitizers). * Stabilize support for sanitizers in the Rust compiler. (This also includes stabilizing some exploit mitigations such as LLVM CFI/KCFI and LLVM SafeStack.) * Prioritize stabilizing sanitizers that provide incremental value without requiring rebuilding the Rust Standard Library (i.e., Cargo build-std feature).