Institute of Software Technology University of Stuttgart Universitätsstraße 38 D–70569 Stuttgart Masterarbeit Analysing and improving the crypto ecosystem of Rust Philipp Keck Course of Study: Softwaretechnik Examiner: Prof. Dr. Stefan Wagner Supervisor: Kai Mindermann M.Sc. Commenced: 2016-10-13 Completed: 2017-04-14 CR-Classification: D.2.2, D.2.11, D.2.13, E.3 Abstract Context: Rust is an emerging systems programming language that suits security-critical applications because it guarantees memory safety without a garbage collector. Its grow- ing ecosystem already encompasses several crypto libraries, though the competition is still open. Previous cryptography research found that vulnerabilities are often due to misunderstandings and misuse of cryptographic APIs rather than bugs in the libraries themselves. Aim: This thesis presents a holistic analysis of Rust’s current crypto ecosys- tem and aims to improve its further development. A particular focus is on API design because all libraries are still open to change their APIs and it will become increasingly difficult to change them later. Method: All parts of the ecosystem are systematically analysed, guided by the general structure of a crypto ecosystem. Research methods include a systematic search for libraries, a survey among contributors, GitHub analyses as well as a self-experiment and a controlled experiment to test the usability. Results: The contributors are typical open source developers and they collaborate in typical ways on GitHub. Most libraries have a clear main developer and there is a general lack of contributors. While two of the major libraries focus on usability and are consequently easier to use and more resistant to misuse, the two most widespread libraries consciously neglect these topics and exhibit flaws known from crypto libraries in other languages. Conclusion: The misuse resistant Rust crypto libraries should be advertised more actively. In the medium term, an officially endorsed API could improve interoperability and foster competition. For such an API and for the improvement of existing APIs, the thesis discusses a number of design decisions and their usability implications. 3 Kurzfassung Kontext: Rust ist eine junge Systemprogrammiersprache, die sich für sicherheitskritische Anwendungen eignet, weil sie Speichersicherheit ohne einen Garbage Collector garan- tiert. Das wachsende Ökosystem umfasst bereits einige Krypto-Bibliotheken, wobei der Wettbewerb noch offen ist. Die bisherige Forschung hat gezeigt, dass Schwachstellen oft durch Missverständnisse und Missbrauch der kryptographischen APIs verursacht werden anstatt durch Fehler in den Bibliotheken selbst. Ziel: Diese Thesis enthält eine ganzheit- liche Analyse des Krypto-Ökosystems von Rust mit dem Ziel, die zukünftige Entwicklung zu verbessern. Ein besonderer Fokus liegt auf dem API-Design, weil alle Bibliotheken noch offen für API-Änderungen sind und solche Änderungen später schwieriger werden. Vorgehen: Alle Bestandteile des Ökosystems werden anhand der allgemeinen Struktur eines Krypto-Ökosystems systematisch analysiert. Zu den eingesetzten Forschungsme- thoden gehören eine systematische Suche nach Bibliotheken, eine Entwicklerumfrage, GitHub-Analysen sowie ein Selbstversuch und ein kontrolliertes Experiment um die Be- nutzbarkeit zu testen. Ergebnisse: Die Entwickler sind typische Open-Source-Entwickler und sie arbeiten auf typische Weise auf GitHub zusammen. Die meisten Bibliotheken haben einen eindeutigen Hauptentwickler und es gibt einen generellen Mangel an wei- teren Entwicklern. Während zwei der größeren Bibliotheken sich auf Benutzbarkeit konzentrieren und dementsprechend einfacher zu verwenden und missbrauchsresis- tenter sind, vernachlässigen die beiden am weitesten verbreiteten Bibliotheken diese Themen bewusst und weisen Schwächen auf, die von Krypto-Bibliotheken anderer Spra- chen her bekannt sind. Fazit: Die missbrauchsresistenten Krypto-Bibliotheken in Rust sollten aktiver beworben werden. Mittelfristig könnte eine offiziell unterstützte API die Interoperabilität und den Wettbewerb fördern. Für eine solche API und für die Verbesserung der existierenden APIs werden in der Thesis diverse Designentscheidungen und ihre Auswirkungen auf die Benutzbarkeit erörtert. 4 Acknowledgements I would like to thank my supervisor Kai Mindermann for coming up with this exciting topic and for his guidance, advice and collaboration. Without his support, this thesis would not have been possible. I would also like to thank all survey participants for their time and input as well as the active community members on the #rust-crypto IRC channel and @briansmith for their help, tips and for interesting discussions. Publication Parts of this thesis have been submitted as a paper at the Thirteenth Symposium on Usable Privacy and Security (SOUPS ’17), in collaboration with Kai Mindermann M.Sc. and Prof. Dr. Stefan Wagner. A separate paper has been submitted for the controlled experiment that is only briefly reported on in this thesis. Note on links Many of the sources referenced in this thesis are rather volatile. Where necessary, links are annotated with the date on which they were stored in the Internet Archive (https://web.archive.org/), where the respective version can be retrieved. License This thesis and all supplementary material (see appendix A) are licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. Suggested citation: “Philipp Keck, master’s thesis ‘Analysing and improving the crypto ecosystem of Rust’, 2017” 5 Contents List of Figures9 List of Tables 10 1 Introduction 11 2 Foundations 13 2.1 The Rust programming language..................... 13 2.2 Cryptographic foundations......................... 20 3 Related work 27 3.1 Open-source projects............................ 27 3.2 API design and usability.......................... 28 3.3 Crypto usability............................... 30 4 Ecosystems 35 4.1 Deriving a definition............................ 35 4.2 Definition.................................. 36 4.3 C and C++................................. 40 4.4 Java..................................... 40 4.5 .NET..................................... 42 4.6 Python.................................... 43 4.7 Conclusion................................. 43 5 The Rust crypto ecosystem 45 5.1 Research questions............................. 45 5.2 Library search and categorization..................... 46 5.3 Libraries providing primitives....................... 50 5.4 Contributors survey............................. 55 5.5 GitHub analysis............................... 63 5.6 Crypto in the standard library....................... 72 5.7 Areas for improvement........................... 73 5.8 Conclusion................................. 79 7 6 Usage analysis 81 6.1 Approach.................................. 82 6.2 High-level results.............................. 84 6.3 Hashing................................... 85 6.4 HMAC.................................... 90 6.5 Symmetric encryption........................... 92 6.6 Threats to validity............................. 94 6.7 Conclusion................................. 96 7 Usability analysis 97 7.1 Self-experiment............................... 97 7.2 Controlled experiment........................... 105 7.3 Conclusion................................. 108 8 Improving usability and misuse resistance 109 8.1 Documentation............................... 110 8.2 Scope of included algorithms....................... 113 8.3 Level of abstraction............................. 115 8.4 Organization of included algorithms................... 118 8.5 Split into multiple crates.......................... 126 8.6 Defaults and future security........................ 128 8.7 Strong types................................. 130 8.8 Keys, nonces and seeds........................... 131 8.9 Constant-time comparisons........................ 133 8.10 &mut parameters.............................. 134 8.11 Conclusion................................. 136 9 Conclusion 137 9.1 Future of crypto in Rust.......................... 137 9.2 Future work................................. 138 9.3 Summary.................................. 139 A Supplementary material 141 B Rust contributors survey questionnaire 142 Acronyms 147 References 149 8 List of Figures 2.1 Data flows for symmetric encryption................... 23 2.2 Data flows for authenticated symmetric encryption........... 25 4.1 Populations and interactions in a programming ecosystem....... 38 5.1 Rust crypto libraries and their dependencies............... 49 5.2 Timeline of the major Rust primitive libraries’ start dates and ancestors 50 5.3 Self-ratings for cryptography and Rust skills............... 58 5.4 Years of experience with programming and cryptography........ 59 5.5 Time commitment in hours per week................... 60 5.6 GitHub issue and pull request (PR) topics................ 69 5.7 Importance of API design to the contributors............... 70 6.1 Number of considered search results per library............. 84 6.2 Filtering the crates found in the previous step.............. 84 6.3 High-level usages per category and library................ 85 6.4 Hash function usage............................ 88 6.5 HMAC usage................................ 91 6.6 Symmetric encryption usage........................ 93 6.7 Hash function usage: output