Manage security vulnerabilities in embedded IoT devices with Rust

The Rust programming language’s rich type system and ownership model guarantee memory-safety and thread-safety — and eliminate many classes of bugs and security vulnerabilities at compile-time.

Rust is blazingly fast and memory-efficient: with no run-time or garbage collector, it can power performance-critical services, run on embedded devices, and easily integrate with other languages. Thus, it is extremely well suitable for anything from bare-metal embedded devices to back-end network services.

Rust will most certainly gain traction within the IoT, networking and embedded space, and hopefully replace C and C++, due to their bug-prone memory management issues.

However, no-one is 100% safe from vulnerabilities, not even Rust. Correct implementation of flawed requirements cannot be handled by any language.

So, the Rust Secure Code Working Group has started to focus on how to leverage Rust’s built-in solutions to increase protection even further in security-critical code. The RustSec security Advisory Database contains rust-specific advisories.

Fixing a bug is simple when you know about it, but then comes the hard part, as Sergey Davidoff wrote in Security as Rust 2019 goal:

If you run Rust code in production, how do you get notified that you need to apply a security update? How do you set up a pipeline to apply these updates automatically?

Luckily, the WG aren’t alone in contemplating this issue.

During 2016–2018, Martin Hell, PhD, at Lund University ran a government-funded research project on Secure Connected Devices (“SECONDS”). The purpose was to create methods to evaluate, track and deploy patches for open-source software used in IoT end-nodes.

I was participating in this project as a consultant specialized in embedded systems. Other participants were security-camera manufacturer Axis communications AB, high assurance VPN hardware manufacture Advenica AB, Ericsson AB and a few others.

The project came to some good results regarding how to manage dependencies between applications and libraries.

The project’s goal has been to implement, test and evaluate solutions to handle vulnerabilities in third-party software. Specifically, the project has had the goal of developing solutions to shorten the time from the detection of a vulnerability until a decision for action can be taken. Improved processes have been proposed by developing a maturity model specifically linked to vulnerability management. A service in the form of a proof-of-concept implementation for handling and tracking vulnerabilities has also been implemented and evaluated.

The project’s results include the maturity model and the implemented service, but also a number of sub-solutions developed during the project. Parts of the results, the implemented service and a few of the sub-results related to machine learning and automation, have also been commercialized.

Most specifically, this directly relates to the issue #15, “RustSec integration into DevOps workflow”, in the WG issue tracker.

The project’s results are described in details in the paper “Identifying, Prioritizing and Evaluating Vulnerabilities in Third Party Code” by Cobleigh, Hell, Karlsson, Reimer, Sönnerup, Wisenhoff, as well as “Industrial Practices in Security Vulnerability Management for IoT Systems”, by Höst, Sönnerup, Hell, Olsson. Sönnerup and Hell also made a large-scale analysis of more than 37.000 Open-source components, mostly written in other languages than Rust, in which 96321 vulnerabilities were found — more than 2.5 security holes per component!

Other tools aiding in analyzing and evaluating crates, apart from the ones outlined through the SECONDS project, are crev, a Cargo Code REView tool, and the crates-audit tool.