Building the first memory safe distro

When we set out to build the world’s most secure distro, Wolfi, or as we like to call it “undistro” we knew that we wanted it to be memory safe.

‍

Memory safety vulnerabilities are responsible for the vast majority of critical, remotely exploitable, and in-the-wild attacks we see on software. According to Consumer Reports, 60 to 70% of browser and kernel vulnerabilities—and security bugs found in C/C++ code bases—are due to memory unsafety. These vulnerabilities are a result of code being written in memory unsafe languages like C, C++, and assembly. The class of memory safety vulnerabilities include buffer overflows and use-after-free errors and have accounted for the majority of application security issues disclosed by software companies. Back in 2019, Microsoft revealed that 70% of its CVEs had been caused by developers making memory corruption mistakes in their C and C++ code.

‍

The good news is that this class of vulnerability can be eliminated with the use of memory safe languages such as Rust, Go, C#, Java, Swift, Python, and JavaScript. Several organizations including the Internet Security Research Group (ISRG), Google, Mozilla have kick started a movement to prioritize the use of memory safe languages, including to rewrite critical programs. The most notable being the work underway to introduce Rust to the Linux kernel.

‍

Introducing Rustls to Wolfi

At Chainguard, we built Wolfi to solve the software supply chain security problem from the outside in. Wolfi gives developers the secure by default base they need to build software, it scales to support organizations running massive environments and provides the control needed to fix most modern supply chain threats. Wolfi builds all packages directly from source, allowing us to fix vulnerabilities or apply customizations that improve the supply chain security posture of everything from the compilers to the language package managers.

‍

Wolfi is optimized for cloud native, containerized environments like Kubernetes. It is our hope that developers will adopt Wolfi as the standard distro because it automatically increases the security of their software lifecycle.

‍

Introducing Rustls TLS library into Wolfi was a no-brainer for our team. We not only set out to build the world’s first undistro, but the world’s first memory safe distro. In partnership with the ISRG, we were able to turn that dream into a reality.

‍

"At ISRG, we are particularly excited about the fact that Chainguard is enabling memory safe TLS via Rustls and memory safe HTTP via Hyper in curl to its Wolfi distribution, said Josh Aas, Executive Director, Internet Security Research Group. "Chainguard's Wolfi joins Google’s Android and Fuchsia, as well as Amazon’s Bottlerocket, in taking memory safety seriously."

‍

Wolfi packages Rustls and makes it available as the default backend in libcurl. This means our curl images and everything else (which turns out to be quite a few things!) that depend on curl benefit from these memory safety properties.

‍

While we agree with the sentiment of Mark Russinovich’s statement that we should halt starting any new projects in C/C++, we believe that more investment in the Rust ecosystem is needed in order to achieve this goal. Although we are already using select Rust-based components in Wolfi, we plan to make additional investments in the Rust ecosystem in the near future to provide infrastructure suited for use with embedded and container use cases where binary sizes are important. Until this infrastructure exists, there will be a very long transition period until everything is memory-safe. So in addition to leveraging new technologies like rustls, we also go out of our way to build all of our packages, including those in non-memory-safe languages as safely as we can. Modern compilers have come a long way and contain many protections and features to help mitigate memory errors. We’re proud to leverage all of these, and aren’t aware of any other distribution that goes as far as Wolfi.

‍

In particular, we use:

‍

• Fortify source level 3

• Position independent executables (PIE)

• Stack-smashing protection (SSP)

• Immediate symbol binding at runtime (-Wl,-z,now)

• Read-only relocations (-Wl,-z,relro)

• Control flow enforcement (CET) [x86_64 only]

‍

Through a combination of leveraging new libraries written in memory safe languages as soon as possible while being as safe as we can with libraries in unsafe languages, we believe that Wolfi is setting the standard when it comes to memory safety in distributions.

It’s time to start building software with a memory safe, secure-by-default foundation. To get started with Wolfi, check out our “Hello Wolfi Workshop” on Chainguard Academy. If you have any questions or feedback get in touch here.