Rust Security

Purpose

Guide agents through Rust security practices: dependency auditing with cargo-audit, policy enforcement with cargo-deny, RUSTSEC advisory database, memory-safe patterns for FFI, and combining fuzzing with Miri for security review.

Triggers

• "How do I check my Rust dependencies for CVEs?"
• "How do I use cargo-audit?"
• "How do I enforce dependency policies in CI?"
• "What's the RUSTSEC advisory database?"
• "How do I write memory-safe FFI in Rust?"
• "How do I fuzz-test my Rust library for security bugs?"

Workflow

1. cargo-audit — vulnerability scanning

# Install
cargo install cargo-audit --locked

# Scan current project
cargo audit

# Full output including ignored
cargo audit --deny warnings

# Audit the lockfile (CI-friendly)
cargo audit --file Cargo.lock

# JSON output for CI integration
cargo audit --json | jq '.vulnerabilities.list[].advisory.id'

Output format:

error[RUSTSEC-2023-0052]: Vulnerability in `vm-superio`
    Severity: low
       Title: MMIO Register Misuse
    Solution: upgrade to `>= 0.7.0`

2. cargo-deny — policy enforcement

cargo-deny goes beyond audit: it enforces license policies, bans specific crates, checks source origins, and validates duplicate dependency versions.

cargo install cargo-deny --locked

# Initialize deny.toml
cargo deny init

# Run all checks
cargo deny check

# Run specific check
cargo deny check advisories
cargo deny check licenses
cargo deny check bans
cargo deny check sources

deny.toml configuration:

[advisories]
vulnerability = "deny"      # Deny known vulnerabilities
unmaintained = "warn"       # Warn on unmaintained crates
yanked = "deny"             # Deny yanked versions

# Ignore specific advisories
ignore = [
    "RUSTSEC-2021-0145",    # known false positive for our usage
]

[licenses]
unlicensed = "deny"
allow = [
    "MIT", "Apache-2.0", "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause", "BSD-3-Clause", "ISC", "Unicode-DFS-2016",
]
# Deny GPL for proprietary projects
deny = ["GPL-2.0", "GPL-3.0"]

[bans]
multiple-versions = "warn"  # Warn if same crate appears twice
wildcards = "deny"          # Deny wildcard dependencies

[[bans.deny]]
name = "openssl"            # Force rustls instead
wrappers = ["reqwest"]      # Allow if only required by these

[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-git = [
    "https://github.com/my-org/private-crate",
]

GitHub Actions CI integration:

- name: Security audit
  run: |
    cargo install cargo-deny --locked
    cargo deny check

3. RUSTSEC advisory database

The RUSTSEC database at https://rustsec.org/ tracks vulnerabilities, unmaintained crates, and unsound code.

# Browse advisories from CLI
cargo audit --db ~/.cargo/advisory-db fetch
ls ~/.cargo/advisory-db/crates/

# Check a specific advisory
curl https://rustsec.org/advisories/RUSTSEC-2023-0001.json | jq .

# Common categories
# type: vulnerability — exploitable security bug
# type: unmaintained — no longer maintained (supply chain risk)
# type: unsound — documented unsoundness in safe API
# type: yanked — crate version yanked from crates.io

4. Memory-safe FFI patterns

Common sources of unsafety at the Rust/C boundary:

// UNSAFE pattern — raw pointer from C, no lifetime
extern "C" fn process_data(data: *const u8, len: usize) {
    // Don't do this — no bounds check, no lifetime guarantee
    let slice = unsafe { std::slice::from_raw_parts(data, len) };
}

// SAFE pattern — validate before using
extern "C" fn process_data(data: *const u8, len: usize) -> i32 {
    // Validate pointer and length
    if data.is_null() || len == 0 || len > 1024 * 1024 {
        return -1;
    }
    // Safety: non-null, len validated, called from C with valid buffer
    let slice = unsafe { std::slice::from_raw_parts(data, len) };
    do_work(slice);
    0
}

// Use safe wrapper crates for common patterns
use nix::unistd::read;   // safe POSIX wrappers
use windows::Win32::System::Memory::VirtualAlloc;  // safe Windows bindings

5. Fuzzing for security bugs

# cargo-fuzz — libFuzzer-based
cargo install cargo-fuzz

# Initialize
cargo fuzz init
cargo fuzz add my_target

# fuzz/fuzz_targets/my_target.rs
# #![no_main]
# use libfuzzer_sys::fuzz_target;
# fuzz_target!(|data: &[u8]| {
#     if let Ok(s) = std::str::from_utf8(data) {
#         let _ = my_lib::parse(s);
#     }
# });

# Run fuzzing (long-running)
cargo fuzz run my_target

# With sanitizers for security coverage
cargo fuzz run my_target -- -sanitizer=address

# Reproduce a crash
cargo fuzz run my_target artifacts/my_target/crash-xxxx

# Honggfuzz — good for security targets
cargo install honggfuzz
cargo hfuzz run my_target

6. Miri for soundness

# Install Miri
rustup +nightly component add miri

# Run tests under Miri
cargo +nightly miri test

# Check for UB in unsafe code
MIRIFLAGS="-Zmiri-disable-isolation -Zmiri-backtrace=full" \
  cargo +nightly miri test

# Miri detects:
# - Use-after-free
# - Dangling references
# - Invalid pointer arithmetic
# - Data races (with -Zmiri-tree-borrows)
# - Uninitialized memory reads

7. Supply chain hardening

# Pin Cargo.lock in applications (not libraries)
# Always commit Cargo.lock for binaries

# Verify checksums (cargo already does this)
cargo fetch --locked    # fails if Cargo.lock doesn't match

# Audit all dependencies including transitive
cargo tree              # view full dependency tree
cargo tree -d           # show duplicate versions

# Use cargo-vet for peer review of new deps
cargo install cargo-vet
cargo vet              # check all deps have been vetted

# Minimal dependency principle
cargo machete          # finds unused dependencies

Related skills

• Use skills/rust/rust-sanitizers-miri for Miri and sanitizer details
• Use skills/runtimes/fuzzing for fuzzing strategy and corpus management
• Use skills/rust/rust-unsafe for unsafe code audit patterns
• Use skills/rust/cargo-workflows for Cargo.lock and workspace management