RUDRA: Finding Memory Safety Bugs in Rust at the Ecosystem Scale

被引:34
作者
Bae, Yechan [1 ]
Kim, Youngsuk [1 ]
Askar, Ammar [1 ]
Lim, Jungwon [1 ]
Kim, Taesoo [1 ]
机构
[1] Georgia Inst Technol, Atlanta, GA 30332 USA
来源
PROCEEDINGS OF THE 28TH ACM SYMPOSIUM ON OPERATING SYSTEMS PRINCIPLES, SOSP 2021 | 2021年
关键词
Rust; Memory-safety; Program analysis;
D O I
10.1145/3477132.3483570
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Rust is a promising system programming language that guarantees memory safety at compile time. To support diverse requirements for system software such as accessing low-level hardware, Rust allows programmers to perform operations that are not protected by the Rust compiler with the unsafe keyword. However, Rust's safety guarantee relies on the soundness of all unsafe code in the program as well as the standard and external libraries, making it hard to reason about their correctness. In other words, a single bug in any unsafe code breaks the whole program's safety guarantee. In this paper, we introduce RUDRA, a program that analyzes and reports potential memory safety bugs in unsafe Rust. Since a bug in unsafe code threatens the foundation of Rust's safety guarantee, our primary focus is to scale our analysis to all the packages hosted in the Rust package registry. RUDRA can scan the entire registry (43k packages) in 6.5 hours and identified 264 previously unknown memory safety bugs-leading to 76 CVEs and 112 RustSec advisories being filed, which represent 51.6% of memory safety bugs reported to RustSec since 2016. The new bugs RUDRA found are non-trivial, subtle, and often made by Rust experts: two in the Rust standard library, one in the official futures library, and one in the Rust compiler. RUDRA is open-source, and part of its algorithm is integrated into the official Rust linter.
引用
收藏
页码:84 / 99
页数:16
相关论文
共 64 条
[1]  
Abrahams D, 2000, LECT NOTES COMPUT SC, V1766, P69
[2]  
[Anonymous], 2015, CVE-2015-20001: BinaryHeap is not exception safe
[3]  
[Anonymous], 2020, CVE-2020-36323
[4]  
[Anonymous], 2017, CVE-2017-20004: MutexGuard> must not be Sync
[5]  
[Anonymous], 2020, RUSTSEC-2020-0028: rocket: Clone implementation for LocalRequest is unsound
[6]  
[Anonymous], 2021, CVE-2021-28876: Panic safety issue in Zip specialization
[7]  
[Anonymous], 2018, CVE-2018-1000657: seg fault pushing on either side of a VecDeque
[8]  
[Anonymous], 2021, CVE-2021-28879
[9]  
[Anonymous], 2019, RUSTSEC-2019-0010: libflate: MultiDecoder::read() drops uninitialized memory of arbitrary type on panic in client code
[10]  
[Anonymous], 2020, CVE-2020-35905