Safety-focused glibc interposition layer in Rust with incremental replacement kernels.

C programs call malloc, memcpy, strlen, printf every microsecond and trust that nothing goes wrong. glibc_rust places a Transparent Safety Membrane at that ABI boundary and incrementally replaces host-libc behavior with Rust-owned implementations, raw syscall veneers, and deterministic fallback contracts.

# Interpose libc for a single process
LD_PRELOAD=/usr/lib/glibc-rust/libglibc_rs_abi.so ./my_program
# Or go hardened: catch and repair unsafe operations instead of crashing
GLIBC_RUST_MODE=hardened LD_PRELOAD=/usr/lib/glibc-rust/libglibc_rs_abi.so ./my_program

Source of truth: tests/conformance/reality_report.v1.json (generated 2026年02月11日T03:14:20Z). Reality snapshot: total_exported=227, implemented=84, raw_syscall=83, glibc_call_through=54, stub=6. Counts below reflect that generated snapshot and will change as matrix drift fixes land.

Current implementation is hybrid interposition, not full replacement. Exported symbols are classified into four support-taxonomy states:

Total currently classified exports: 227.

Known stubs:

• freeaddrinfo
• gai_strerror
• getaddrinfo
• getnameinfo
• localeconv
• setlocale

Source of truth: tests/conformance/packaging_spec.json.

Support-matrix applicability rule:

• Implemented + RawSyscall symbols apply to both artifacts.
• GlibcCallThrough + Stub symbols apply to Interpose only.

Source of truth: tests/conformance/replacement_levels.json. Declared replacement level claim: L0 — Interpose. Release tag format: v<semver>-L<level> (for example v0.1.0-L0 at current level).

glibc is 1.86 million lines of C/assembly, mass-accumulated over 30+ years. It is the most widely deployed attack surface on Linux. Every CVE in glibc -- heap overflows in malloc, format string bugs in printf, buffer overruns in strcpy -- exists because C cannot enforce memory safety. Sanitizers help at dev time but vanish in production. Your deployed binaries run naked.

Measured from the actual glibc source tree (not estimates):

By language:

By subsystem (top 15):

sysdeps/ + iconvdata/ alone = 60.7% of the entire codebase (platform-specific implementations and character encoding tables).

sysdeps/ internal breakdown (top 10 architectures):

All 29 key subsystems (complete):

These 29 subsystems = 1,640,126 lines (88.1%) of the total codebase.

Largest individual files in glibc:

17 of the top 20 largest files are iconvdata character encoding tables. The famous malloc/malloc.c ranks #20.

glibc_rust provides a Transparent Safety Membrane (TSM) behind a glibc-compatible ABI and classifies each exported symbol as Implemented, RawSyscall, GlibcCallThrough, or Stub. The membrane validates every pointer, checks bounds, and tracks allocation lifetimes at the C ABI boundary.

Two runtime modes let you choose your trade-off:

# 1. Build the Interpose artifact
cargo build --release -p glibc-rs-abi
# 2. Run a candidate program with glibc_rust interposed
LD_PRELOAD=target/release/libglibc_rs_abi.so ls -la
# 3. Enable hardened mode to catch unsafe patterns
GLIBC_RUST_MODE=hardened LD_PRELOAD=target/release/libglibc_rs_abi.so ./legacy_c_server
# 4. Check what the membrane caught
cat /tmp/glibc_rust_metrics.log
# membrane.validations: 14823901
# membrane.heals.clamp_size: 3
# membrane.heals.ignore_double_free: 1
# membrane.denials: 0
# 5. Run conformance tests against host glibc
cargo test -p glibc-rs-harness
# 6. Benchmark membrane overhead
cargo bench -p glibc-rs-bench

glibc_rust targets glibc ABI compatibility for the currently exported/classified symbol set, including version tags (GLIBC_2.2.5, GLIBC_2.14, etc.) and calling conventions. If the ABI contract breaks, nothing else matters.

Memory safety isn't achieved by "being careful with unsafe." It's achieved by architecture: a validation pipeline at every entry point, a generational arena that makes use-after-free impossible, and a lattice-theoretic state model that can only move toward more restrictive safety states.

Strict mode targets glibc-compatible behavior for the currently supported symbol set -- same return values, same errno, same side effects where covered. Hardened mode adds repair semantics for invalid inputs (clamping oversized copies, quarantining freed pointers, null-terminating truncated strings). The mode is chosen once at process startup via environment variable and cannot change.

This is a clean-room reimplementation. Behavior is extracted from POSIX/C standards and glibc's documented contracts, not by translating C to Rust line-by-line. The legacy source tree exists for reference only.

Every safety decision the membrane makes is auditable. Validation counts, repair actions, denial reasons -- all recorded via lock-free atomic counters. In hardened mode, every repair emits a structured evidence record.

git clone https://github.com/anthropics/glibc_rust.git
cd glibc_rust
cargo build --release -p glibc-rs-abi
# Output: target/release/libglibc_rs_abi.so

sudo install -m 755 target/release/libglibc_rs_abi.so /usr/lib/glibc-rust/libglibc_rs_abi.so

LD_PRELOAD=/usr/lib/glibc-rust/libglibc_rs_abi.so ./your_program

• Rust nightly (edition 2024)
• Linux x86_64 (primary target)
• No runtime dependencies beyond the kernel
• Host glibc runtime currently required for GlibcCallThrough symbols

1. Build:

cargo build --release -p glibc-rs-abi

2. Verify conformance:

cargo test --all-targets

2a. Run the canonical full workspace gate (fmt/check/clippy/test + ABI cdylib build):

scripts/ci.sh

For the heavier policy/perf/snapshot suite, opt in explicitly:

GLIBC_RUST_EXTENDED_GATES=1 scripts/ci.sh

3. Run a program in strict mode (default):

LD_PRELOAD=target/release/libglibc_rs_abi.so ./my_app

4. Run a program in hardened mode:

GLIBC_RUST_MODE=hardened LD_PRELOAD=target/release/libglibc_rs_abi.so ./my_app

5. Benchmark overhead:

cargo bench -p glibc-rs-bench

Reproducible hotspot pipeline (CPU + alloc + syscall) for critical benchmarks:

scripts/profile_pipeline.sh

 C program calls malloc(), strlen(), printf(), ...
 |
 +---------------------v----------------------+
 | Layer A: ABI Boundary |
 | extern "C" #[no_mangle] symbols |
 | Symbol versions (GLIBC_2.x) |
 +---------------------+----------------------+
 |
 +---------------------v----------------------+
 | Layer B: Transparent Safety Membrane |
 | |
 | null check (1ns) |
 | -> TLS cache (5ns) |
 | -> bloom filter (10ns) |
 | -> arena lookup (30ns) |
 | -> fingerprint check (20ns) |
 | -> canary check (10ns) |
 | -> bounds check (5ns) |
 | |
 | Decision: Allow | Repair(strategy) | Deny |
 +---------------------+----------------------+
 |
 +---------------------v----------------------+
 | Layer C: Safe Semantic Kernels |
 | #![deny(unsafe_code)] |
 | Pure Rust implementations |
 | Deterministic, testable |
 +---------------------------------------------+

The math stack is not just documentation or offline CI proof. It now has a runtime control-plane embodiment inside the membrane:

• runtime_math::risk computes online per-family risk envelopes.
• runtime_math::bandit routes calls between Fast and Full validation profiles.
• runtime_math::control updates thresholds with a primal-dual budget controller.
• runtime_math::barrier enforces constant-time admissibility gates.
• runtime_math::cohomology detects overlap-consistency faults across metadata shards.
• runtime_math::pareto enforces mode-aware latency/risk frontier selection with cumulative regret tracking and hard per-family regret caps.
• runtime_math::eprocess runs anytime-valid sequential testing (e-process alarms) per API family.
• runtime_math::cvar enforces distributionally-robust CVaR tail guards to prevent heavy-tail latency regimes from silently degrading safety routing.
• schrodinger_bridge runs entropy-regularized optimal transport (Sinkhorn) to detect policy-regime transport drift.
• large_deviations applies Cramér-rate rare-event monitoring for catastrophic adverse-sequence budgeting.
• risk_engine (sampled conformal alarm model) now contributes live risk bonuses in runtime.
• check_oracle (sampled contextual stage-order oracle) now contributes live profile bias in runtime.
• quarantine_controller (primal-dual queue-depth control) now updates/publishes live quarantine depth.

Per-call decision law: mode + context + risk + eprocess + cvar + control limits + pareto + barrier + consistency -> Allow | FullValidate | Repair | Deny.

Pragmatic constraint:

• hot-path logic stays compact and deterministic,
• heavy synthesis/proof remains offline,
• runtime executes only low-overhead control kernels.

Current integration status:

• fused runtime math is active in pointer-validation flow,
• allocator routing is active at malloc/free/realloc/calloc,
• string/memory routing is active across bootstrap <string.h> entrypoints (mem*, strlen, strcmp, strcpy, strncpy, strcat, strncat, strchr, strrchr, strstr, strtok),
• threading routing is active in bootstrap pthread_* entrypoints (pthread_self/equal/create/join/detach),
• resolver routing is active in bootstrap <netdb.h> entrypoints (getaddrinfo/freeaddrinfo/getnameinfo/gai_strerror).

Canonical direction: surface -> failure class -> alien math -> compiled runtime artifact.

Round C adds these legacy-grounded surfaces:

Developer transparency rule:

• math runs offline in synthesis/proof pipelines;
• runtime ships only deterministic artifacts (tables/guards/kernels);
• contributors work with ordinary Rust code, tests, and policy files.

HARD REQUIREMENT (verbatim): This project must leverage:

• /dp/asupersync for deterministic conformance orchestration and traceability/reporting primitives.
• /dp/frankentui for deterministic diff/snapshot-oriented harness output and TUI-driven analysis tooling.

These are build/test tooling dependencies only, not production runtime dependencies of libglibc_rs_abi.so.

# No env var needed -- strict is the default
LD_PRELOAD=target/release/libglibc_rs_abi.so ./my_app

• ABI-compatible for the currently supported/classified symbol set
• No repair transformations
• Invalid operations return glibc-compatible error codes
• Overhead budget: <20ns per membrane-gated call

GLIBC_RUST_MODE=hardened LD_PRELOAD=target/release/libglibc_rs_abi.so ./my_app

• Catches and repairs unsafe operations instead of allowing corruption
• Deterministic repair policies per API family:

• Every repair emits an evidence record
• Overhead budget: <200ns per membrane-gated call

tests/conformance/reality_report.v1.json is the canonical coverage snapshot (generated from support_matrix.json via harness reality-report).

For exact counts, stub surface, and snapshot timestamp, inspect tests/conformance/reality_report.v1.json. For per-symbol strict/hardened semantics and status, inspect support_matrix.json directly.

glibc_rust correctness is validated through fixture-driven conformance and drift gates.

# Run the full conformance suite
cargo test -p glibc-rs-harness
# Verify fixture packs (strict + hardened) and emit a report
cargo run -p glibc-rs-harness --bin harness -- verify \
 --fixture tests/conformance/fixtures \
 --report /tmp/glibc_rust_conformance.md
# Regenerate deterministic strict+hardened conformance goldens + checksums
scripts/update_conformance_golden.sh
# Verify conformance golden drift
scripts/conformance_golden_gate.sh
# Verify runtime_math snapshot golden drift
scripts/snapshot_gate.sh
# Run LD_PRELOAD smoke suite (coreutils + integration C binary + python/busybox)
TIMEOUT_SECONDS=10 scripts/ld_preload_smoke.sh
# Run healing oracle tests (hardened mode)
cargo run -p glibc-rs-harness --bin harness -- verify-membrane --mode hardened

1. Fixture capture: Run test vectors against host glibc, serialize inputs + outputs as JSON
2. Fixture verify: Run same vectors against glibc_rust, compare outputs bit-for-bit
3. Traceability: Every test maps to a POSIX/C11 spec section
4. Healing oracle: Intentionally trigger unsafe conditions, verify repair behavior
5. Benchmark gate: No regressions allowed; membrane overhead must stay within budget

cargo bench -p glibc-rs-bench

Measured overhead of the membrane validation pipeline on hot-path operations:

Strict mode overhead is dominated by the TLS cache lookup. Hardened mode adds fingerprint verification and bounds checking.

The program's existing libc initialization ran before LD_PRELOAD took effect. Use LD_LIBRARY_PATH with a symlink named libc.so.6 instead:

mkdir -p /tmp/glibc-rust-lib
ln -sf $(realpath target/release/libglibc_rs_abi.so) /tmp/glibc-rust-lib/libc.so.6
LD_LIBRARY_PATH=/tmp/glibc-rust-lib ./my_app

Some programs with complex TLS layouts may conflict with the membrane's TLS cache. Set GLIBC_RUST_TLS_CACHE=0 to disable the cache (increases overhead but resolves conflicts).

Ensure the version script (libc.map) covers all symbols the loaded library expects. Run with GLIBC_RUST_LOG=debug to see which symbol lookup failed.

Specific repair policies can be disabled per API family:

GLIBC_RUST_DISABLE_HEAL=clamp_size,ignore_double_free ./my_app

Run the full benchmark suite and compare against the committed baseline:

cargo bench -p glibc-rs-bench -- --baseline committed

Q: Can I use this in production? A: For controlled workloads that stay within the currently supported symbol set, yes. This project is not yet a full glibc replacement; use the support taxonomy and smoke/conformance gates to validate your workload.

Q: Does this protect against all memory safety bugs? A: It protects against memory safety bugs that flow through libc calls -- which is a large and important class. It does not protect against bugs in application code that never calls libc (e.g., stack buffer overflows within a function).

Q: How does this compare to AddressSanitizer? A: ASan instruments your compiled code and catches bugs at dev time. glibc_rust operates at the libc boundary and runs in production. They're complementary: ASan for development, glibc_rust for deployed binaries.

Q: What happens if strict mode encounters an invalid pointer? A: The same thing that happens in glibc -- undefined behavior for the caller. Strict mode does not add safety; it provides ABI compatibility. Use hardened mode if you want safety.

Q: Can I run this on musl-based systems? A: glibc_rust replaces glibc specifically. On musl systems, you'd use LD_PRELOAD but may encounter symbol version mismatches since musl doesn't use glibc's versioning scheme.

Q: What's the memory overhead? A: The membrane adds 24 bytes per allocation (16-byte fingerprint + 8-byte canary) plus ~128KB for the bloom filter and TLS caches. For most programs, this is negligible.

Q: Is the math stack required to understand the code? A: No. Runtime uses compact control kernels with plain interfaces (risk, bandit, control, pareto, barrier, cohomology), while heavy theorem/proof machinery stays offline. Day-to-day code is ordinary Rust.

Please don't take this the wrong way, but I do not accept outside contributions for any of my projects. I simply don't have the mental bandwidth to review anything, and it's my name on the thing, so I'm responsible for any problems it causes; thus, the risk-reward is highly asymmetric from my perspective. I'd also have to worry about other "stakeholders," which seems unwise for tools I mostly make for myself for free. Feel free to submit issues, and even PRs if you want to illustrate a proposed fix, but know I won't merge them directly. Instead, I'll have Claude or Codex review submissions via gh and independently decide whether and how to address them. Bug reports in particular are welcome. Sorry if this offends, but I want to avoid wasted time and hurt feelings. I understand this isn't in sync with the prevailing open-source ethos that seeks community contributions, but it's the only way I can move at this velocity and keep my sanity.

MIT