Memory-Safety Challenge Considered Solved? An In-Depth Study with All Rust CVEs

Xu, Hui; Chen, Zhuangbin; Sun, Mingshen; Zhou, Yangfan; Lyu, Michael R.

doi:10.48550/arxiv.2003.03296

Cited by 1 publication

(2 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To answer RQ1, we collect a dataset with all 11 existing related CVEs for evaluation [29], including three use-after-free, three double free, and four invalid memory access bugs due to uninitialized memory. These CVEs are from 10 different Rust crates.…”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

SafeDrop: Detecting Memory Deallocation Bugs of Rust Programs via Static Data-Flow Analysis

Cui¹,

Chen²,

Xu³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Rust is an emerging programming language that aims to prevent memory-safety bugs. However, the current design of Rust also brings side effects which may increase the risk of dangling pointers. In particular, it employs OBRM (ownership-based resource management) and enforces automatic deallocation of unused resources base on a static lifetime inference mechanism. It may therefore falsely reclaim memory and lead to use-after-free or double-free issues.In this paper, we study the problem of false memory deallocation and propose SafeDrop, a static path-sensitive data-flow analysis approach to detect such bugs. Our approach analyzes each public API of a Rust crate iteratively by traversing the control-flow graph and extracting all aliases of each data flow. To guarantee precision and scalability, we leverage Tarjan algorithm to achieve scalable pathsensitive analysis, and a cache-based strategy to achieve efficient inter-procedural analysis. Our experiment results show that our approach can successfully detect all existing CVEs of such issues with a limited number of false positives. The analysis overhead ranges from 4.4% to 87.2% in comparison with the original program compilation time. We further apply our tool to several real-world Rust crates and find 15 previously-unknown bugs from nine crates.

show abstract

Section: Methodsmentioning

confidence: 99%

“…Due to these advantages, many real-world projects start to embrace Rust, such as Servo [2] and TockOS [20]. Although the feedback of Rust's effectiveness in preventing memory-safety bug is positive, there still exist a considerable amount of such bugs in real-world projects [9,24,29].…”

Section: Introductionmentioning

confidence: 99%