安全
此页面旨在解释 Tauri 设计和生态系统核心的高级概念和安全功能,这些功能默认情况下可让你、你的应用和你的用户更安全。
¥This page is designed to explain the high-level concepts and security features at the core of Tauri’s design and ecosystem that make you, your applications and your users more secure by default.
它还包括有关最佳实践的建议、如何向我们报告漏洞以及对详细概念解释的引用。
¥It also includes advice on best practices, how to report vulnerabilities to us and references to detailed concept explanations.
:::note 注意
请务必记住,Tauri 应用的安全性是 Tauri 本身、所有 Rust 和 npm 依赖、你的代码以及运行最终应用的设备的整体安全性的总和。Tauri 团队尽最大努力做好自己的工作,安全社区也尽最大努力做好自己的工作,你也应该遵循一些重要的最佳实践。
¥It is important to remember that the security of your Tauri application is the sum of the overall security of Tauri itself, all Rust and npm dependencies, your code, and the devices that run the final application. The Tauri team does its best to do their part, the security community does its part and you should also follow some important best practices.
:::
信任边界
¥Trust Boundaries
信任边界是计算机科学和安全中使用的术语,它描述了程序数据或执行改变其 “信任,” 级别的边界,或者两个具有不同能力的主体交换数据或命令的边界。1
¥Trust boundary is a term used in computer science and security which describes a boundary where program data or execution changes its level of “trust,” or where two principals with different capabilities exchange data or commands. 1
Tauri 的安全模型区分了为应用核心编写的 Rust 代码和用系统 WebView 理解的任何框架或语言编写的前端代码。
¥Tauri’s security model differentiates between Rust code written for the application’s core and frontend code written in any framework or language understood by the system WebView.
检查并严格定义边界之间传递的所有数据对于防止信任边界违规非常重要。如果数据在这些边界之间传递而没有访问控制,那么攻击者很容易提升和滥用特权。
¥Inspecting and strongly defining all data passed between boundaries is very important to prevent trust boundary violations. If data is passed without access control between these boundaries then it’s easy for attackers to elevate and abuse privileges.
IPC 层 是这两个信任组之间沟通的桥梁,确保边界不会被破坏。
¥The IPC layer is the bridge for communication between these two trust groups and ensures that boundaries are not broken.
插件或应用核心执行的任何代码都可以完全访问所有可用的系统资源,并且不受限制。
¥Any code executed by the plugins or the application core has full access to all available system resources and is not constrained.
在 WebView 中执行的任何代码只能通过定义明确的 IPC 层访问公开的系统资源。对核心应用命令的访问由应用配置中定义的功能配置和限制。各个命令实现强制执行功能配置中定义的可选细粒度访问级别。
¥Any code executed in the WebView has only access to exposed system resources via the well-defined IPC layer. Access to core application commands is configured and restricted by capabilities defined in the application configuration. The individual command implementations enforce the optional fine-grained access levels also defined in the capabilities configuration.
了解有关各个组件和边界执行的更多信息:
¥Learn more about the individual components and boundary enforcement:
Tauri 允许开发者选择自己的前端堆栈和框架。这意味着我们无法为每个选择的前端堆栈提供强化指南,但 Tauri 提供了通用功能来控制和包含攻击面。
¥Tauri allows developers to choose their own frontend stack and framework. This means that we cannot provide a hardening guide for every frontend stack of of choice, but Tauri provides generic features to control and contain the attack surface.
(不)打包 WebViews
¥(Not) Bundling WebViews
Tauri 的方法是依赖操作系统 WebView,而不是将 WebView 打包到应用二进制文件中。
¥Tauri’s approach is to rely on the operating system WebView and not bundling the WebView into the application binary.
这有很多原因,但从安全角度来看,最重要的原因是从发布安全修补版本的 WebView 到向应用终端用户推出的平均时间。
¥This has a multitide of reasons but from a security perspective the most important reason is the average time it takes from publication of a security patched version of a WebView to being rolled out to the application end user.
我们观察到,WebView 数据包维护者和操作系统数据包维护者修补和推出安全修补的 Webview 版本的速度平均比将 WebView 直接与应用打包在一起的应用开发者快得多。
¥We have observed that WebView packet maintainer and operating system packet maintainers are in average significantly faster to patch and roll out security patched Webview releases than application developers who bundle the WebView directly with their application.
此观察有例外,理论上两条路径可以在相似的时间范围内完成,但这会为每个应用带来更大的开销基础设施。
¥There are exceptions from this observation and in theory both paths can be taken in a similar time frame but this involves a larger overhead infrastructure for each application.
从 Tauri 应用开发者的经验来看,打包有其缺点,我们并不认为它本质上是不安全的,但当前的设计是一种权衡,可以显着减少已知的漏洞。
¥Bundling has it’s drawbacks from a Tauri application developer experience and we do not think it is inherently insecure but the current design is a trade off that significantly reduces known vulnerabilities in the wild.
生态系统
¥Ecosystem
Tauri 组织提供和维护的不仅仅是 Tauri 存储库,为了确保我们提供合理安全的多平台应用框架,我们一定会付出更多努力。
¥The Tauri organization provides and maintains more than just the Tauri repository, and to ensure we provide a reasonable secure multi platform application framework, we make sure to go some extra miles.
要了解有关我们如何保护开发过程、你可以调整和实现哪些内容、你的应用可能面临的已知威胁以及我们计划在未来改进或强化哪些内容的更多信息,你可以查看以下文档:
¥To learn more about how we secure our development process, what you could adapt and implement, what known threats your application can face and what we plan to improve or harden in the future, you can check out the following documents:
协调披露
¥Coordinated Disclosure
如果你认为 Tauri 或我们组织中的其他存储库中的任何内容存在安全问题或问题,请不要公开评论你的发现。相反,请直接联系我们的安全团队。
¥If you feel that there is a security concern or issue with anything in Tauri or other repositories in our organization, please do not publicly comment on your findings. Instead, reach out directly to our security team.
首选披露方法是通过受影响存储库上的 Github 漏洞披露。我们的大多数存储库都启用了此功能,但如果有疑问,请通过 Tauri 存储库 提交。
¥The preferred disclosure method is via Github Vulnerability Disclosure on the affected repository. Most of our repositories have this feature enabled but if in doubt please submit via the Tauri repository.
或者,你可以通过电子邮件与我们联系:security@tauri.app。
¥Alternatively you can contact us via email at: security@tauri.app.
虽然我们目前没有安全赏金预算,但在某些情况下,我们会考虑用我们有限的资源奖励协调披露。
¥Although we do not currently have a budget for security bounties, in some cases, we will consider rewarding coordinated disclosure with our limited resources.
Footnotes
Tauri 中文网 - 粤ICP备13048890号