The world seems so loopy. But at least someone's written a memory-safe sudo in Rust
Turns out we can have nice things?
The sudo command-line tool has been implemented in the Rust programming language to hopefully rid it of any exploitable memory-safety bugs.
Prossimo, a project overseen by the non-profit Internet Security Research Group (ISRG), announced the first stable release of sudo-rs this week. That open source codebase includes the related su command-line program, again in Rust.
The sudo utility provides a way for privileged users of Unix-like systems (eg: Linux and FreeBSD) to run a command as root. It presents a bit of a risk in that low-privileged rogue users or software could find a way to abuse it, such as by exploiting a bug in the code, to elevate their access to root, or superuser, level. Ideally sudo and su should be as secure and vulnerability-free as possible, as they act as gateways to taking full control of a system.
Memory safety bugs include issues like out-of-bounds reads and writes, and use-after-free(). And some of these exploitable vulnerabilities have been found in sudo.
According to Josh Aas, executive director of ISRG's Prossimo project, one out of three of the security bugs in the original sudo stem from memory management issues.
"The first stable release of sudo-rs, our rewrite of the critical sudo tool in Rust, is an important milestone," said Aas in an email to The Register.
We're seeing interest from Linux distros and hopefully that will make the security improvements available to many more people
"People can start using it to achieve greater security through memory safety, reduced attack surface, and extensive testing. We're seeing interest from Linux distros and hopefully that will make the security improvements available to many more people."
Aas said the next step is a third-party security audit. "We're seeking additional funding for work on enterprise features and hardening," he said.
Rewriting sudo in Rust should eliminate the potential for memory-safety bugs, which have become a matter of widespread concern in the past few years among technology companies and US government agencies, at least. These flaws can be exploited to hijack apps or systems, and steal data, among other things. They can also be used to infiltrate software supply chains.
Most modern programming languages, in one way or another, allow developers to write code in a way that's memory safe, and Rust is particularly well-suited for the task. Non-safe programming languages include C, C++, and assembly. However, C++ creator Bjarne Stroustrup previously told The Register that ISO compliant C++, with the help of a static analyzer, can be safe too – a claim about which Aas previously expressed skepticism.
- Microsoft is busy rewriting core Windows code in memory-safe Rust
- This profiler chatbot promises to help speed up your Python – we can believe it
- Rust Foundation so sorry for scaring the C out of you with trademark crackdown talk
- Fed up with Python setup and packaging? Try a shot of Rye
The sudo-rs revision, Aas said in a blog post, omits less commonly used features to reduce the attack surface of the software. It has also led to the development of a test suite that has helped spot bugs in the original C implementation, created around 1980 by Bob Coggeshall and Cliff Spencer from SUNY/Buffalo and presently maintained by Todd Miller.
Chainguard, which makes a container-focused Linux distribution called Wolfi, has incorporated sudo-rs into its images.
"The sudo utility is a perfect example of a security-critical tool that's both pervasive and under-appreciated," said Dan Lorenc, CEO and co-founder at Chainguard, in a statement. "Security improvements to tools like this will have an outsized impact on the entire industry."
Work on the sudo rewrite began in December 2022, a month after the US National Security Agency published guidance urging organizations to adopt memory safe languages. The federal signals intelligence agency notes that Google and Microsoft have each said about 70 percent of the vulnerabilities they deal with arise from memory safety bugs.
"Memory management issues have been exploited for decades and are still entirely too common today," said Neal Ziring, cybersecurity technical director for the NSA, in a statement at the time. "We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors."
Last month, the White House issued a Request for Information [PDF] soliciting opinions on open-source software security and memory safe programming languages. Comments must be submitted by 1700 ET on October 9. ®