AD5022: RustMachOEnableLTO¶
Summary¶
| Property | Value |
|---|---|
| ID | AD5022 |
| Name | RustMachOEnableLTO |
| Category | Security |
| Severity | Warning |
| Applies to | Mach-O (macOS, iOS, Rust compiled) |
Description¶
Rust Mach-O binaries should enable Link-Time Optimization (LTO) for improved security and performance, especially for release builds.
How It Works¶
The rule checks for LTO indicators:
- LTO-related metadata in the binary
- Presence of LLVM bitcode sections
- Compiler/linker optimization flags
Why This Matters¶
LTO enables whole-program optimization and is required for certain security features like CFI.
LTO Security Benefits¶
| Benefit | Description |
|---|---|
| CFI support | Control Flow Integrity requires LTO |
| Dead code removal | Smaller attack surface |
| Cross-crate optimization | Better inlining of security checks |
| Symbol stripping | Fewer exposed symbols |
LTO Modes in Rust¶
| Mode | Build Time | Size | Quality |
|---|---|---|---|
false |
Fast | Larger | Base |
thin |
Medium | Smaller | Good |
fat |
Slow | Smallest | Best |
Security vs Build Time¶
Development:
lto = false → Fast iteration
Release:
lto = "thin" → Good balance
lto = true → Maximum optimization
CFI Requirement¶
# CFI requires LTO
[profile.release]
lto = true
# Then enable CFI:
# RUSTFLAGS="-Zsanitizer=cfi" cargo +nightly build --release
Resolution¶
Enable LTO in release builds:
# Cargo.toml
[profile.release]
lto = true
codegen-units = 1 # Recommended with LTO
# Or for faster builds with most benefits:
[profile.release]
lto = "thin"