Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attribute-macro-based auditing annotations #47

Open
sam0x17 opened this issue Nov 8, 2022 · 2 comments
Open

Attribute-macro-based auditing annotations #47

sam0x17 opened this issue Nov 8, 2022 · 2 comments

Comments

@sam0x17
Copy link

sam0x17 commented Nov 8, 2022

The Polkadot/Substrate ecosystem is looking for a solution that will allow us to annotate pallets (rust modules) and possibly other portions of our codebase with an attribute macro with syntax similar to #[audited(E0C5E21EB7AD91AA)] where the contents of audited() are a hash code of the syn-parsed AST nodes that make up the pallet (minus some superfluous nodes, such as doc/comment nodes).

Right now the substrate ecosystem maintains an auditing team that audits new pallets and incremental changes to existing pallets, however these auditing results are not stored anywhere in the repo and are simply managed at the PR level.

The idea here would be to make this audited() attribute macro fail if the hash code changes, which ideally would only happen if a portion of the rust module that the attribute is applied to has been modified, which would trigger a re-audit.

Then we would provide syntax for runtime developers to assert at compile-time that all pallets used in their runtime have been audited, which would be a huge win security-wise for our ecosystem, since accidentally using unaudited pallets is a recurring issue for runtime developers.

So it would look something like this within our system:

#[pallet]
#[audited(E0C5E21EB7AD91AA)]
pub mod pallet {
  ...
}

Because we control how the attribute macro generates its hash code, we could do things like ignore certain node types that we deem harmless (comments, docs, etc), so this would give us even finer grained control if desirable.

Anyway, I wanted to reach out here and see how viable the rust secure code working group thinks this idea might be.

Right now pallets are heavily restricted (via macro generation) to be entirely defined in a single module that follows a particular format and sits in a single file.

Conveniently, all the proc_macro2 / syn node types have hash implementations and our preliminary tests indicate that these hash codes are stable. The same module placed in different projects/files seems to result in the same hash code, minor changes result in a new hash code, etc.

The original forum thread discussing this can be found here and has a bit more context, if desirable: https://forum.polkadot.network/t/rfc-trustless-in-code-auditing-annotations/988

What do you think of this sort of approach? Has anyone tried anything like this before? In other words, what is the viability of using hash codes of ASTs in this way?

@sam0x17
Copy link
Author

sam0x17 commented Nov 8, 2022

I'd also be happy/interested to develop this idea as a crate within rust-secure-code that we could then use use in substrate

@burdges
Copy link

burdges commented Nov 8, 2022

In part, we're asking: What does the community want in the way of audit notes?

We know there is wider interest in audit notes for say unsafe blocks, but that's a somewhat clearer problem, thanks to the rustbelt project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants