未来工作
本节描述了我们已经开始或希望在未来解决的主题,以使 Tauri 应用更加安全。如果你对这些主题感兴趣或已有相关知识,我们始终欢迎通过 GitHub 或其他社区平台(如 Discord)提供的新贡献者和建议。
🌐 This section describes topics we started or would like to tackle in the future to make Tauri apps even more secure. If you feel interested in these topics or have pre-existing knowledge we are always happy to welcome new contributors and advice via GitHub or other community platforms like Discord.
🌐 Binary Analysis
为了让渗透测试人员、审计人员和自动化安全检查能够正确地完成他们的工作,即使从编译后的二进制文件中提供洞察也是非常有价值的。并非所有公司都是开源的,或者为审计、红队和其他安全测试提供源代码。
🌐 To allow pentesters, auditors and automated security checks do to their job properly it is very valuable to provide insight even from compiled binaries. Not all companies are open source or provide source code for audits, red-teams and other security testing.
另一个经常被忽视的点是,提供内置元数据可以让你的应用用户在不投入大量时间和精力的情况下,按规模审核系统的已知漏洞。
🌐 Another often overlooked point is that providing inbuilt metadata empowers users of your application to audit their systems for known vulnerabilities at scale without dedicating their lifetime and efforts into it.
如果你的威胁模型依赖于通过模糊性来实现安全,本节将提供一些工具和要点,希望能让你重新考虑。
🌐 If your threatmodel depends on security by obscurity this section will be providing some tools and points which hopefully will make you reconsider.
对于 Rust,有 cargo-auditable 来创建 SBOMs 并提供二进制文件的确切 crate 版本和依赖,而不会破坏可复现的构建。
🌐 For Rust there is cargo-auditable to create SBOMs
and provide exact crate versions and dependencies of a binary without breaking reproducible builds.
对于前端栈,我们不清楚有类似的解决方案,因此从二进制文件中提取前端资源应该是一个直接的过程。之后应该可以使用像 npm audit 或类似的工具。已经有关于这个过程的 博客文章,但没有简单的工具可用。
🌐 For the frontend stack we are not aware of similar solutions, so extracting
the frontend assets from the binary should be a straightforward process.
Afterwards it should be possible to use tooling like npm audit or similar.
There are already blog posts
about the process but no simple tooling is available.
我们计划提供这样的工具,或者在编译具有某些功能的 Tauri 应用时,使提取资源变得更容易。
🌐 We are planning to provide such tooling or make it easier to extract assets, when compiling a Tauri app with certain features.
要使用像 Burpsuite、Zap 或 Caido 这样的渗透测试工具,有必要拦截 webview 的流量并通过测试代理。目前 Tauri 没有内置的方法来实现这一点,但正在进行相关工作以简化这一过程。
🌐 To use pentesting tools like Burpsuite, Zap or Caido it is necessary to intercept traffic from the webview and pass it through the testing proxy. Currently Tauri has no inbuilt method to do so but there is ongoing work to ease this process.
所有这些工具都允许在没有源代码访问的情况下正确测试和检查Tauri应用,在构建Tauri应用时应予以考虑。
🌐 All of these tools allow to properly test and inspect Tauri applications without source code access and should be considered when building a Tauri application.
我们计划在未来进一步支持和实现相关功能。
🌐 We are planning to further support and implement related features in the future.
🌐 WebView Hardening
在 Tauri 当前的威胁模型和边界中,我们无法对 WebView 本身添加更多的安全约束,而由于它是我们栈中最大的一部分,并且是用一种内存不安全的语言编写的,我们计划研究并考虑进一步沙箱化和隔离 WebView 进程的方法。
🌐 In Tauri’s current threat model and boundaries we are not able to add more security constraints to the WebView itself and since it is the biggest part of our stack which is written in an memory unsafe language, we are planning to research and consider ways to further sandbox and isolate the webview processes.
将评估内置和外部的沙箱方法,以减少攻击影响并强制系统访问的 IPC 桥。我们认为我们堆栈的这一部分是薄弱环节,但当前一代的 WebView 在加固和抗利用性方面正在改进。
🌐 Inbuilt and external sandboxing methods will be evaluated to reduce attack impact and to enforce the IPC bridge for system access. We believe that this part of our stack is the weak link but current generation WebViews are improving in their hardening and exploit resilience.
🌐 Fuzzing
为了使对Tauri应用的模糊测试过程更高效并简化,我们旨在进一步实现我们的模拟运行时和其他工具,以便更容易为单个Tauri应用进行配置和构建。
🌐 To allow more efficient and simplify the process of fuzzing Tauri applications we aim to further implement our mock runtimes and other tooling to make it easier to configure and build for individual Tauri applications.
Tauri 支持多种操作系统和 CPU 架构,通常应用只有少量或没有可能不安全的内存代码。现有的模糊测试工具和库不支持这些不常见的模糊测试用例,因此我们需要实现它,并支持现有库如 libAFL 来构建 Tauri 模糊测试框架。
🌐 Tauri is supporting a multitude of Operating Systems and CPU architectures, usually apps have only few or no possible memory unsafe code. No pre-existing fuzzing tooling and libraries support these uncommon fuzzing use case, so we need to implement it and support existing libraries like libAFL to build Tauri fuzzing frameworks.
目标是让 Tauri 应用开发者能够访问和高效地进行模糊测试。
🌐 The goal is to make fuzzing accessible and efficient for Tauri application developers.
Tauri 中文网 - 粤ICP备13048890号
Nodejs.cn 旗下网站