A group of memory safety advocates are rewriting “sudo” and “su” in the modern Rust language.
This week the Prossimo group reported that it has launched a new initiative to “reimplement the ubiquitous sudo and su utilities in Rust”.
Josh Aas reported the project in a blog post for Prossimo, an Internet Security Research Group (ISRG) project that seeks to “move the Internet’s security-sensitive software infrastructure to memory-safe code”.
Sudo was first developed in the 1980s. Over the decades, Aas says, “it has become an essential tool for performing changes while minimizing risk to an operating system. But because it’s written in C, sudo has experienced many vulnerabilities related to memory safety issues”.
According to Aas, Prossimo chooses the software for their “safety reimplementation” projects based on four risk criteria. First, he says, the software must be very widely used (nearly every server and/or client). The software must also sit on a critical boundary and perform a critical function. Finally, the software should be written in languages that are not memory-safe, such as C/C++.
Sudo fits these risk criteria “squarely”, according to Aas. “It’s important that we secure our most critical software, particularly from memory safety vulnerabilities. It’s hard to imagine software that’s much more critical than sudo and su”, he states.
Rewriting the code is just the first step?
The reimplementation work itself is being done by a joint team from Ferrous Systems and Tweede Golf “with generous support from Amazon Web Services”, Aas writes.
The rewriting of the two utilities may be fraught with its own problems, writes Kevin Purdy over at Ars Technica. Explaining that “the majority of sudo vulnerabilities do not appear memory-related (depending on one’s definition)”, Purdy makes the point that the re-coding process itself could actually introduce new bugs into the now “memory-safe” utilities.
Purdy also points out that the Prossimo iniitative does not explain the plan for encouraging ther mass adoption of the new, memory safe versions of sudo and su. That effort, he writes, “could require just as much effort as the rewrite itself”.