AD5021: RustEnableSecureSourceHashMachO¶
Summary¶
| Property | Value |
|---|---|
| ID | AD5021 |
| Name | RustEnableSecureSourceHashMachO |
| Category | Security |
| Severity | Warning |
| Applies to | Mach-O (macOS, iOS, Rust compiled) |
Description¶
Rust Mach-O binaries should use secure source code hashing algorithms in debug information to enable reliable source file identification and reproducible builds.
How It Works¶
The rule examines DWARF debug information for:
- Source file hash algorithm used
- Presence of MD5 (insecure) vs SHA-256 (secure)
- Compiler configuration for hashing
Why This Matters¶
Secure hashing enables reliable verification of source files associated with debug information and prevents potential collision attacks.
Hash Algorithm Comparison¶
| Algorithm | Status | Collision Risk |
|---|---|---|
| MD5 | Insecure | Practical attacks exist |
| SHA-1 | Deprecated | Theoretical attacks |
| SHA-256 | Secure | No known attacks |
Debug Information Integrity¶
DWARF with MD5:
Source: main.rs → MD5: d41d8cd98f00b204...
Attacker could create collision file
DWARF with SHA-256:
Source: main.rs → SHA-256: e3b0c44298fc1c14...
Collision computationally infeasible
Reproducible Builds¶
| Feature | Benefit |
|---|---|
| Consistent hashing | Same source → same hash |
| Verification | Confirm source matches binary |
| Supply chain | Detect tampering |
Resolution¶
Configure Rust to use secure hashing: