ISRG (Internet Security Research Group), the organization behind the Let’s Encrypt project and dedicated to enhancing internet security, has introduced Project zlib-rs. This project aims to create a secure alternative to the data compression library Zlib. The code for zlib-rs is written in Rust and is distributed under the Zlib license. The development of this project is influenced by zlib-non, which is working on a high-performance version of zlib. Two libraries have been developed under this project: ZLIB-RS, which is an API implementation of ZLIB without using UNSAFE blocks, and LIBZ-RS-SYS, which supports the C API with code written in “Unsafe” mode.
The motivation behind creating ZLIB-RS is to eliminate potential breakdowns caused by memory-related errors. Companies like Microsoft and Google have indicated that approximately 70% of vulnerabilities stem from unsafe memory practices. By using Rust for the development of ZLIB-RS, the risk of vulnerabilities due to memory-related errors can be reduced significantly. This approach aims to prevent issues such as accessing memory after it has been released or buffer overflow.
Despite its widespread use in various systems, the ZLIB library has been plagued by periodic security vulnerabilities. In 2022, a buffer overflow vulnerability was discovered in ZLIB, allowing attackers to exploit the system by transmitting specially crafted data. The introduction of zlib-rs seeks to address these vulnerabilities and enhance the overall security of systems dependent on data compression libraries.