Skip to content

Roadmap: Complete mediation — from lint plugin to Rust RFC #44

Open
Open
Roadmap: Complete mediation — from lint plugin to Rust RFC#44
Labels
enhancementNew feature or request
@bordumb

Description

@bordumb
bordumb
opened on Mar 22, 2026

Context

capsec implements 6 of 8 Saltzer & Schroeder design principles. The two it partially meets — complete mediation (#3) and least common mechanism (#7) — share the same root cause: Rust's standard library grants ambient authority by default. Any function can call std::fs::read() without asking permission. capsec can't remove that ability — only a compiler or language change can.

This issue outlines three progressively ambitious approaches to closing that gap.

Option 1: Lint plugin (buildable now)

Issue: #43

A dylint or rustc_private lint that flags std::fs/std::net/std::env/std::process calls in functions that don't have Has<P> bounds. Teams that enable #[deny(capsec::ambient_authority)] get compile-time enforcement.

This is not complete mediation in Saltzer & Schroeder's sense — the check is opt-in. But it's the practical maximum within Rust's current architecture.

Status: RFC filed as #43 with three sub-options (raw rustc_private, dylint, clippy.toml fallback).

Impact: Gets capsec to ~7/8 principles. Ships without any upstream Rust changes.

Option 2: Rust RFC — authority tokens in std

The ambient-authority crate (Dan Gohman, Bytecode Alliance) already proposed the pattern: ambient-authority functions take an AmbientAuthority token parameter.

// Current std (ambient authority — any code can call this)
let data = std::fs::read("secret.txt")?;

// Proposed (capability-gated — requires explicit authority)
let data = std::fs::read("secret.txt", ambient_authority())?;

If std adopted this convention, complete mediation would be built into the language. The key arguments:

Why this is realistic:

  • The Bytecode Alliance already wants this for WASI/Wasmtime — cap-std proves the API design works at scale
  • Rust RFC #1631 (pure functions / effect system) was closed with consensus: "pursue capability approaches" rather than a pure fn keyword
  • The keyword-generics initiative is discussing effect-like systems — authority tokens fit naturally
  • An edition boundary (Rust 2027?) could introduce the new APIs without breaking existing code — the old APIs would be deprecated, not removed
  • Cargo Scan (ESOP 2026) empirical data shows 3,434/10,000 top crates are already effect-free — most code wouldn't need any authority tokens at all

What capsec brings to the RFC:

  • Cap<P> / Has<P> is a working prototype of what authority-gated std APIs would look like
  • 13 Lean 4 soundness theorems formally verify the permission lattice — machine-checked proof that the design is sound
  • 90+ test adversarial security suite documenting every evasion vector — shows exactly what the current approach can and can't catch
  • Resource/pure crate classification (already implemented) demonstrates that the ecosystem can be partitioned
  • Production-tested across a real workspace with CI integration, pre-commit hooks, and SARIF output

What the RFC would propose:

  1. Add an AmbientAuthority zero-sized token type to std (or core)
  2. Add _with_authority variants of std::fs, std::net, std::env, std::process functions that require the token
  3. In a future edition, deprecate the ambient variants in favor of the authority-gated variants
  4. Provide ambient_authority() as the bootstrap function (equivalent to capsec's CapRoot::root())
  5. Let the ecosystem build finer-grained capability systems (like capsec's Cap<P>) on top of the coarse AmbientAuthority foundation

Impact: Gets Rust to 8/8 Saltzer & Schroeder principles. Every Rust program would have a single auditable point where ambient authority enters the system.

Option 3: Compiler flag for capability-restricted compilation

A cargo/rustc feature that restricts which std modules are linkable based on declared capabilities:

# Cargo.toml
[package.metadata.capsec]
classification = "pure"  # compiler rejects std::fs/net/env/process imports

This would work like #![no_std] but finer-grained — #![no_std_fs], #![no_std_net], etc. A crate marked pure simply cannot link against std::fs at all, enforced by the compiler.

Why this is harder:

  • Requires changes to Rust's module resolution and linking
  • std is currently monolithic — you get all of it or none of it (no_std)
  • Splitting std into capability-gated modules is a massive undertaking
  • Would need coordination with the libs team, compiler team, and cargo team

Why it might happen anyway:

  • The no_std ecosystem already demonstrates demand for partial std access
  • WASI's capability model requires exactly this kind of module-level gating
  • The modular std discussion has been ongoing since 2018 (see std-aware cargo RFC)

Impact: Complete mediation enforced by the compiler. The dream state — but requires Rust project buy-in and years of work.

Recommended sequence

  1. Now: Ship the lint plugin (Option 1 / RFC: Rustc lint plugin for ambient authority detection #43) — proves the concept, provides immediate value
  2. Next: Write a pre-RFC blog post citing capsec's Lean proofs, adversarial suite, and Cargo Scan data — build community support
  3. Then: Submit a formal Rust RFC (Option 2) proposing AmbientAuthority tokens in std — cite the lint plugin's adoption data as evidence of demand
  4. Long-term: If the RFC is accepted, Option 3 becomes a natural follow-on as part of modular std work

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions