Securing UnSafe Rust Programs with XRust

Rust is a promising systems programming language that embraces both high-level memory safety and low-level resource manipulation. However, the dark side of Rust, unsafe Rust, leaves a large security hole as it bypasses the Rust type system in order to support low-level operations. Recently, several real-world memory corruption vulnerabilities have been discovered in Rust's standard libraries. We present XRust, a new technique that mitigates the security threat of unsafe Rust by ensuring the integrity of data flow from unsafe Rust code to safe Rust code. The cornerstone of XRust is a novel heap allocator that isolates the memory of unsafe Rust from that accessed only in safe Rust, and prevents any cross-region memory corruption. Our design of XRust supports both single- and multi-threaded Rust programs. Our extensive experiments on real-world Rust applications and standard libraries show that XRust is both highly efficient and effective in practice.

[1]  Long Lu,et al.  Shreds: Fine-Grained Execution Units with Private Memory , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[2]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[3]  Emina Torlak,et al.  Crust: A Bounded Verifier for Rust (N) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[4]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[5]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[6]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[7]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[8]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[9]  Hussain M. J. Almohri,et al.  Fidelius Charm: Isolating Unsafe Rust Code , 2018, CODASPY.

[10]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[11]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[12]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[13]  Aaron Weiss,et al.  Rust Distilled: An Expressive Tower of Languages , 2018, ArXiv.

[14]  Stanley B. Lippman,et al.  Inside the C++ Object Model , 1996 .

[15]  Peter Druschel,et al.  ERIM: Secure, Efficient In-process Isolation with Memory Protection Keys (MPK) , 2018 .

[16]  Jingling Xue,et al.  SVF: interprocedural static value-flow analysis in LLVM , 2016, CC.

[17]  Derek Dreyer,et al.  RustBelt: securing the foundations of the rust programming language , 2017, Proc. ACM Program. Lang..

[18]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[19]  Gang Tan,et al.  JVM-Portable Sandboxing of Java's Native Libraries , 2012, ESORICS.

[20]  Trent Jaeger,et al.  PtrSplit: Supporting General Pointers in Automatic Program Partitioning , 2017, CCS.

[21]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[22]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[23]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[24]  J. Gregory Morrisett,et al.  Robusta: taming the native beast of the JVM , 2010, CCS '10.

[25]  Eric C. Reed Patina : A Formalization of the Rust Programming Language , 2015 .

[26]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[27]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[28]  Zhenkai Liang,et al.  Codejail: Application-Transparent Isolation of Libraries with Tight Program Interactions , 2012, ESORICS.