Rust is an emerging programming language that aims to prevent memory-safety bugs. However, the current design of Rust also brings side effects which may increase the risk of dangling pointers. In particular, it employs OBRM (ownership-based resource management) and enforces automatic deallocation of unused resources base on a static lifetime inference mechanism. It may therefore falsely reclaim memory and lead to use-after-free or double-free issues. In this paper, we study the problem of false memory deallocation and propose SafeDrop, a static path-sensitive data-flow analysis approach to detect such bugs. Our approach analyzes each public API of a Rust crate iteratively by traversing the control-flow graph and extracting all aliases of each data flow. To guarantee precision and scalability, we leverage Tarjan algorithm to achieve scalable path-sensitive analysis, and a cache-based strategy to achieve efficient inter-procedural analysis. Our experiment results show that our approach can successfully detect all existing CVEs of such issues with a limited number of false positives. The analysis overhead ranges from 4.4% to 87.2% in comparison with the original program compilation time. We further apply our tool to several real-world Rust crates and find 15 previously-unknown bugs from nine crates.
翻译:鲁斯特是一个新兴的编程语言,目的是防止记忆安全错误。 但是,鲁斯特目前的设计也会产生副作用,可能会增加悬浮点点的风险。 特别是, 它使用基于自有的资源管理, 在静态寿命周期推算机制下强制自动分配未使用的资源基。 因此, 它可能错误地收回记忆, 导致使用免费或无双重的问题。 在本文件中, 我们研究错误的内存交易定位问题, 并提出一个静态的路径敏感数据流分析方法, 以探测此类错误。 我们的方法通过穿行控制流图和提取每项数据流的所有别名, 来反复分析鲁斯特箱的每个公开 API 。 为了保证精确和可缩放性, 我们利用塔然的算法实现可缩放路径敏感分析, 并采用基于缓存的战略, 实现高效的跨程序分析。 我们的实验结果表明, 我们的方法能够成功地检测出所有现有的此类问题CVE, 并且检测出数量有限的假正数。 我们的方法从4.4%到87. 2 和我们已知的Rust 15号原始程序汇编中, 我们的原始程序比了我们最初的Rust 15 。