Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Yuga: Automatically Detecting Lifetime Annotation Bugs in the Rust Language

Vikram Nitin, Anne Mulhern, Sanjay Arora, Baishakhi Ray

TL;DR

This work addresses memory-safety bugs in unsafe Rust caused by incorrect lifetime annotations by introducing Yuga, a four-stage static analysis that first pattern-matches potential buggy components, then performs flow- and field-sensitive alias analysis, and finally applies shallow filtering to reduce false positives. Using real-world RustSec vulnerabilities and a synthetic Bug dataset, Yuga achieves precision of $87.5\%$ and recall of $60.9\%$ on RustSec and $59.3\%$ recall on synthetic data, scanning 372 crates to uncover 3 exploitable bugs and 82 code smells. The authors show that existing tools like Rudra, MirChecker, and Miri have limited or context-dependent detection capabilities for lifetime-annotation bugs, demonstrating the practicality and novelty of Yuga. The work contributes publicly available datasets and code, enabling scalable scanning of Rust projects for LA bugs with meaningful security implications for unsafe Rust codebases.

Abstract

The Rust programming language is becoming increasingly popular among systems programmers due to its efficient performance and robust memory safety guarantees. Rust employs an ownership model to ensure this guarantee by allowing each value to be owned by only one identifier at a time. Additionally, it introduces the concept of borrowing and lifetimes to enable other variables to borrow the values under certain conditions temporarily. Despite its benefits, security vulnerabilities have been reported in Rust projects, often attributed to the use of "unsafe" Rust code. These vulnerabilities, in part, arise from incorrect lifetime annotations on function signatures. However, existing tools fail to detect these bugs, primarily because such bugs are rare, challenging to detect through dynamic analysis, and require explicit memory models. To overcome these limitations, first, we characterize incorrect lifetime annotations as a source of memory safety bugs and leverage this understanding to devise a novel static analysis tool, Yuga, to detect potential lifetime annotation bugs. Yuga uses a multi-phase analysis approach, starting with a quick pattern-matching algorithm to identify potential buggy components and then conducting a flow and field-sensitive alias analysis to confirm the bugs. We also curate new datasets of lifetime annotation bugs. Yuga successfully detects bugs with good precision on these datasets, and we make the code and datasets publicly available for review.

Yuga: Automatically Detecting Lifetime Annotation Bugs in the Rust Language

TL;DR

This work addresses memory-safety bugs in unsafe Rust caused by incorrect lifetime annotations by introducing Yuga, a four-stage static analysis that first pattern-matches potential buggy components, then performs flow- and field-sensitive alias analysis, and finally applies shallow filtering to reduce false positives. Using real-world RustSec vulnerabilities and a synthetic Bug dataset, Yuga achieves precision of and recall of on RustSec and recall on synthetic data, scanning 372 crates to uncover 3 exploitable bugs and 82 code smells. The authors show that existing tools like Rudra, MirChecker, and Miri have limited or context-dependent detection capabilities for lifetime-annotation bugs, demonstrating the practicality and novelty of Yuga. The work contributes publicly available datasets and code, enabling scalable scanning of Rust projects for LA bugs with meaningful security implications for unsafe Rust codebases.

Abstract

The Rust programming language is becoming increasingly popular among systems programmers due to its efficient performance and robust memory safety guarantees. Rust employs an ownership model to ensure this guarantee by allowing each value to be owned by only one identifier at a time. Additionally, it introduces the concept of borrowing and lifetimes to enable other variables to borrow the values under certain conditions temporarily. Despite its benefits, security vulnerabilities have been reported in Rust projects, often attributed to the use of "unsafe" Rust code. These vulnerabilities, in part, arise from incorrect lifetime annotations on function signatures. However, existing tools fail to detect these bugs, primarily because such bugs are rare, challenging to detect through dynamic analysis, and require explicit memory models. To overcome these limitations, first, we characterize incorrect lifetime annotations as a source of memory safety bugs and leverage this understanding to devise a novel static analysis tool, Yuga, to detect potential lifetime annotation bugs. Yuga uses a multi-phase analysis approach, starting with a quick pattern-matching algorithm to identify potential buggy components and then conducting a flow and field-sensitive alias analysis to confirm the bugs. We also curate new datasets of lifetime annotation bugs. Yuga successfully detects bugs with good precision on these datasets, and we make the code and datasets publicly available for review.
Paper Structure (64 sections, 2 equations, 8 figures, 6 tables, 1 algorithm)

This paper contains 64 sections, 2 equations, 8 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Rust Memory Safety Model
  4. Ownership.
  5. Borrowing.
  6. Lifetimes.
  7. Unsafe Rust
  8. The unsafe Keyword.
  9. Raw Pointers.
  10. Unsafe Code and Lifetime Annotations.
  11. Methodology
  12. Characterizing Lifetime Annotation Bugs
  13. Use-after-free Bugs
  14. Non-Exclusive Mutability Bugs
  15. Algorithm Design
  16. ...and 49 more sections

Figures (8)

  • Figure 1: Ownership and Borrowing. The color of an identifier indicates the color of the heap region it owns.
  • Figure 2: Lifetimes in Rust.
  • Figure 3: Incorrect lifetime annotations on functions can cause memory safety errors.
  • Figure 4: Motivating example. We calculate borrow lifetimes for each value and look for lifetime bug patterns. The arrows $\longleftrightarrow$ show pairs of values associated with potential violations, and the corresponding rows are shaded in gray. We then use Alias Analysis to filter these violations, leaving only the one shown with a red arrow $\longleftrightarrow$.
  • Figure 5: Yuga workflow.
  • ...and 3 more figures