Rudra: Finding Memory Safety Bugs in Rust at the Ecosystem Scale

Rust is a promising system programming language that guarantees memory safety at compile time. To support diverse requirements for system software such as accessing low-level hardware, Rust allows programmers to perform operations that are not protected by the Rust compiler with the unsafe keyword. However, Rust's safety guarantee relies on the soundness of all unsafe code in the program as well as the standard and external libraries, making it hard to reason about their correctness. In other words, a single bug in any unsafe code breaks the whole program's safety guarantee. In this paper, we introduce RUDRA, a program that analyzes and reports potential memory safety bugs in unsafe Rust. Since a bug in unsafe code threatens the foundation of Rust's safety guarantee, our primary focus is to scale our analysis to all the packages hosted in the Rust package registry. RUDRA can scan the entire registry (43k packages) in 6.5 hours and identified 264 previously unknown memory safety bugs---leading to 76 CVEs and 112 RustSec advisories being filed, which represent 51.6% of memory safety bugs reported to RustSec since 2016. The new bugs RUDRA found are non-trivial, subtle, and often made by Rust experts: two in the Rust standard library, one in the official futures library, and one in the Rust compiler. RUDRA is open-source, and part of its algorithm is integrated into the official Rust linter.

[1]  Tom Cargill Exception handling: a false sense of security , 1996 .

[2]  Kevin Boos,et al.  Theseus: an Experiment in Operating System Structure and State Management , 2020, OSDI.

[3]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[4]  Wei Wang,et al.  FUDGE: fuzz driver generation at scale , 2019, ESEC/SIGSOFT FSE.

[5]  Zvonimir Rakamaric,et al.  Verifying Rust Programs with SMACK , 2018, ATVA.

[6]  Peter Müller,et al.  Viper: A Verification Infrastructure for Permission-Based Reasoning , 2016, VMCAI.

[7]  Philip Wadler,et al.  Linear Types can Change the World! , 1990, Programming Concepts and Methods.

[8]  Peter Müller,et al.  Leveraging rust types for modular specification and verification , 2019, Proc. ACM Program. Lang..

[9]  Hui Xu,et al.  Memory-Safety Challenge Considered Solved? An Empirical Study with All Rust CVEs , 2020, ArXiv.

[10]  Mathias Payer,et al.  FuzzGen: Automatic Fuzzer Generation , 2020, USENIX Security Symposium.

[11]  Aaron Weiss,et al.  Oxide: The Essence of Rust , 2019, ArXiv.

[12]  Peter Müller,et al.  How do programmers use unsafe rust? , 2020, Proc. ACM Program. Lang..

[13]  Yiying Zhang,et al.  Understanding memory and thread safety practices and issues in real-world Rust programs , 2020, PLDI.

[14]  Derek Dreyer,et al.  RustBelt meets relaxed memory , 2019, Proc. ACM Program. Lang..

[15]  David Abrahams Exception-Safety in Generic Components , 1998, Generic Programming.

[16]  Eric C. Reed Patina : A Formalization of the Rust Programming Language , 2015 .

[17]  Jeehoon Kang,et al.  Stacked borrows: an aliasing model for Rust , 2019, Proc. ACM Program. Lang..

[18]  Mary Lou Soffa,et al.  Is Rust Used Safely by Software Developers? , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[19]  Deian Stefan,et al.  Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code , 2020, USENIX Security Symposium.

[20]  Jun Zhang,et al.  KRust: A Formal Executable Semantics of Rust , 2018, 2018 International Symposium on Theoretical Aspects of Software Engineering (TASE).

[21]  FILIP NILSSON,et al.  Abstraction Layers and Energy Efficiency in TockOS, a Rust-based Runtime for the Internet of Things , 2017 .

[22]  Emina Torlak,et al.  Crust: A Bounded Verifier for Rust (N) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[23]  Derek Dreyer,et al.  RustBelt: securing the foundations of the rust programming language , 2017, Proc. ACM Program. Lang..

[24]  Gerd Zellweger,et al.  RedLeaf: Isolation and Communication in a Safe Operating System , 2020, OSDI.