From d1014faea9e531b7007f1976142f941048f71ec1 Mon Sep 17 00:00:00 2001 From: Jamey Sharp Date: Thu, 2 May 2024 10:58:54 -0700 Subject: [PATCH] cargo-vet: Exclude fuzzing-only dependencies (#8488) We can't meaningfully audit the other WebAssembly implementations that we use for differential fuzzing, such as wasmi and especially v8. Let's acknowledge that the effort to do so is not practical for us, and focus our vetting efforts on crates that developers and users are more likely to build. This reduces our estimated audit backlog by over three million lines, according to `cargo vet suggest`. Note that our crates which depend on those engines, such as wasmtime-fuzzing, are not published to crates.io, so if we fall victim to a supply chain attack against dependencies of these crates, the folks who might be impacted are limited. Although there is value in also auditing code that might be run by people who clone our git repository, in this case I propose that anyone who is concerned about the risks of supply chain attacks against their development systems should be running fuzzers inside a sandbox. After all, it's a fuzzer: it's specifically designed to try to do anything. --- fuzz/README.md | 25 +++++++++++++++++++++++++ supply-chain/config.toml | 11 +++++++---- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/fuzz/README.md b/fuzz/README.md index 5efabdcf39..07931db491 100644 --- a/fuzz/README.md +++ b/fuzz/README.md @@ -9,6 +9,31 @@ oracles and pass libFuzzer-provided inputs to them. The test case generators and oracles themselves are independent from the fuzzing engine that is driving the fuzzing process and are defined in `wasmtime/crates/fuzzing`. +## Safety warning + +Fuzzers exist to generate random garbage and then try running it. **You +should not trust these fuzz targets**: they could in theory try to read +or write files on your disk, send your private data to reporters, or do +anything else. If they succeed at doing something malicious, they are +doing a great job at identifying dangerous bugs and we're proud of them. + +In addition, some of these fuzz targets use other libraries, such as to +test that our implementation matches other WebAssembly runtimes. **We +have not reviewed those runtimes or libraries** for safety, security, +correctness, supply-chain attacks, or any other properties. Software +used only during fuzzing is not subject to [our usual `cargo vet` +requirements][vet-docs]. + +[vet-docs]: https://docs.wasmtime.dev/contributing-coding-guidelines.html#dependencies-of-wasmtime + +Paragraphs 7 and 8 of the license which this work is distributed to you +under are especially important here: **We disclaim all warranties and +liability** if running some fuzz target causes you any harm. + +Therefore, **if you are at all concerned about the safety of your +computer**, then you should either not run these fuzz targets, or only +run them in a sandbox with sufficient isolation for your threat model. + ## Example To start fuzzing run the following command, where `$MY_FUZZ_TARGET` is one of diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 95111256c4..0d7a87568d 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -46,6 +46,9 @@ audit-as-crates-io = true [policy.cranelift-frontend] audit-as-crates-io = true +[policy.cranelift-fuzzgen] +criteria = [] + [policy.cranelift-interpreter] audit-as-crates-io = true @@ -74,7 +77,7 @@ audit-as-crates-io = true audit-as-crates-io = true [policy.isle-fuzz] -criteria = "safe-to-run" +criteria = [] [policy.wasi-common] audit-as-crates-io = true @@ -113,7 +116,7 @@ audit-as-crates-io = true audit-as-crates-io = true [policy.wasmtime-environ-fuzz] -criteria = "safe-to-run" +criteria = [] [policy.wasmtime-explorer] audit-as-crates-io = true @@ -122,10 +125,10 @@ audit-as-crates-io = true audit-as-crates-io = true [policy.wasmtime-fuzz] -criteria = "safe-to-run" +criteria = [] [policy.wasmtime-fuzzing] -criteria = "safe-to-run" +criteria = [] [policy.wasmtime-jit-debug] audit-as-crates-io = true