Auditing Rust Crates Effectively

TL;DR

The paper addresses the challenge of auditing third-party Rust crates by proposing Cargo Scan, an interactive tool that models potentially dangerous operations as effects and tracks them across function, crate, and dependency boundaries. It introduces an effect model with Unsafe, System, and Higher-Order categories, an AST-based analysis (augmented by rust-analyzer) to annotate effects, safety annotations (safe, unsafe, caller-checked), and a VSCode-based interactive workflow for auditing. The empirical evaluation demonstrates that a large fraction of crates are harmless, most effects are concentrated in a small subset, and context-sensitive effects are common, while Cargo Scan substantially reduces audit effort (e.g., median 0.2% of lines in a hyper audit) and provides scalable cross-package auditing through default audits. The approach offers practical impact by enabling efficient, composable audits across the Rust ecosystem, without requiring a full manual review of every line of code, thereby improving supply-chain security for Rust crates.

Abstract

We introduce Cargo Scan, the first interactive program analysis tool designed to help developers audit third-party Rust code. Real systems written in Rust rely on thousands of transitive dependencies. These dependencies are as dangerous in Rust as they are in other languages (e.g., C or JavaScript) -- and auditing these dependencies today means manually inspecting every line of code. Unlike for most industrial languages, though, we can take advantage of Rust's type and module system to minimize the amount of code that developers need to inspect to the code that is potentially dangerous. Cargo Scan models such potentially dangerous code as effects and performs a side-effects analysis, tailored to Rust, to identify effects and track them across crate and module boundaries. In most cases (69.2%) developers can inspect flagged effects and decide whether the code is potentially dangerous locally. In some cases, however, the safety of an effect depends on the calling context -- how a function is called, potentially by a crate the developer imports later. Hence, Cargo Scan tracks context-dependent information using a call-graph, and collects audit results into composable and reusable audit files. In this paper, we describe our experience auditing Rust crates with Cargo Scan. In particular, we audit the popular client and server HTTP crate, hyper, and all of its dependencies; our experience shows that Cargo Scan can reduce the auditing burden of potentially dangerous code to a median of 0.2% of lines of code when compared to auditing whole crates. Looking at the Rust ecosystem more broadly, we find that Cargo Scan can automatically classify ~3.5K of the top 10K crates on crates.io as safe; of the crates that do require manual inspection, we find that most of the potentially dangerous side-effects are concentrated in roughly 3% of these crates.

Figures (6)

• Figure 1: Interactive auditing with Cargo Scan in VSCode.
• Figure 2: Cargo Scan overview.
• Figure 3: Distribution of top 10K crates by number of effects.
• Figure 4: Distribution of side effects by type.
• Figure 5: Probability density function for the percentage of code audited. The bars correspond to the number of packages whose percentage code audited is in the range $(x-5, x]$ (e.g., in the range $(0\%, 5\%]$).