zlib-rs, an alternative to zlib-rs in Rust that aims to address problems caused by memory errors

zlib-rs an alternative to the zlib data compression library

zlib-rs

The zlib library, developed by Jean-Loup Gailly and Mark Adler, is an essential component since it is used in a wide range of applications that are focused on the compression of files in formats such as ZIP, gzip and PNG due to its efficiency and versatility. This library has been present since 1995 and as a result of its widespread use, it has also been the target of multiple memory security vulnerabilities.

The core of zlib is the DEFLATE compression algorithm, which combines the lossless data compression techniques of the LZ77 algorithm with a Huffman tree structure to achieve remarkable compression rates. This combination of techniques makes zlib extremely efficient at compressing and decompressing data, making it especially useful in applications where storage space or bandwidth is limited.

In addition to file compression, zlib It is also used in transferring compressed data on networks to reduce bandwidth load, in file storage and processing applications, as well as in multimedia applications for compression of audio and video data.

Over time, zlib has faced some vulnerabilities that have been addressed in later versions of zlib, such as the aforementioned CVE-2005-1849, CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842 (just to mention some of the known ones from zlib), which could be exploited by attackers to cause a denial of service (DoS) or even execute arbitrary code and that due to memory safety flaws common for compression libraries written in C/C++, zlib remains a major target.

In order to address these problems, without leaving aside the nature and benefits of zlib, the ISRG (the organization behind the Let's Encrypt project and dedicated to improving internet security) recently announced the launch of a new project The purpose of which is to create an analogue of zlib in the Rust programming language.

We hired Tweede Golf in December 2023 for an initial implementation based on zlib-ng, with a focus on maintaining excellent performance while introducing memory safety.

Whats Next

We are currently seeking funding to complete the work necessary to get the initial implementation ready for production.

The new alternative is called «zlib-rs» and this is presented as a zlib solution written in Rust with the primary goal of addressing security issues associated with memory errors and vulnerabilities that are typically present in compression libraries written in C/C++.

The development of zlib-rs arises in response to statistics from Microsoft and Google that indicate that approximately 70% of vulnerabilities are due to insecure memory management. By using Rust as a programming language, it is expected to significantly reduce the risk of these vulnerabilities, such as access to freed memory areas or buffer overflows.

The project zlib-rs contains a Rust implementation of the zlib file format that is compatible with the zlib API and the repository are currently working on two implementations:

  • zlib-rs, a zlib-based Rust implementation with a secure Rust API (currently considered unstable, but expected to stabilize the implementation soon).
  • libz-rs-sys, a C API a C API for zlib-rs . The API is broadly equivalent to zlib-sys and zlib-ng-sys, but does not currently provide the gz* family of functions. From rust's perspective, this API is not very ergonomic, so working with flate2 is recommended for now.

Regarding the work in current development, it is mentioned that offering an analogue in Rust can attract the attention of others and they can join the work, since offering an alternative focused on security and the prevention of common errors, can in a matter of Some years of work and development provide a transparent replacement for zlib.

Finally, it is worth mentioning that the zlib-rs work is currently published on GitHub in the following repository and the code is distributed under the Zlib license. You can check more about it en the following link.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.