Prossimo Logo
Support this Work

curl

Prossimo Initiative
curl logo

The Story

Curl is a ubiquitous network transfer utility. It's on desktops, laptops, servers, vehicles, and appliances. Securing curl is important because its primary job is to handle data coming in from a network. Unfortunately, all of the networking code in curl is written in C, which is not memory safe.

When we started Prossimo we were particularly interested in learning about how things might go if we try to integrate Rust libraries into a C project with maintainers that are not familiar with writing or reading Rust. If a safer Rust library offers a C interface, then C/C++ consumers shouldn't need to know Rust to use it. The curl project seemed like an interesting opportunity to learn about this.

We got in touch with curl's maintainer, Daniel Stenberg, to talk about how we might help protect curl's core HTTP and TLS networking code from memory safety vulnerabilities. Daniel had a lot of great questions about what we had in mind, and he patiently answered a lot our questions. We quickly realized we were talking to a thoughtful, cautiously progressive maintainer. He was willing to hear us out and consider significant changes, but he would need a plan that was not overly disruptive to existing users.

What We've Done

Together with Daniel Stenberg, we came up with a plan to add options to build curl with memory-safe HTTP and TLS libraries. For HTTP we chose the Hyper library. For TLS we chose the Rustls library.

We contracted with Daniel to integrate the Hyper HTTP library into curl. ISRG engineer Jacob Hoffman-Andrew integrated the Rustls TLS library into curl. They completed the work and we learned a lot along the way.

Today curl users can choose to build curl Rustls for TLS, but the Hyper integration has reached end of life and is no longer available.

What's Next

We'll continue to make sure curl users can build with Rustls for memory safe TLS, but beyond that our work on curl is complete.

Links

More from the Prossimo blog

October 9, 2020

Memory Safe ‘curl’ for a More Secure Internet

Memory safety vulnerabilities represent one of the biggest threats to Internet security. As such, we at ISRG are interested in finding ways to make the most heavily relied-upon software on the Internet memory safe.

Funders

Google
AWS