SBD: Securing safe rust automatically from unsafe rust

IF 1.5 4区计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Science of Computer Programming Pub Date : 2025-02-19 DOI:10.1016/j.scico.2025.103281

Shaowen Li, Hiroyuiki Sato

{"title":"SBD: Securing safe rust automatically from unsafe rust","authors":"Shaowen Li, Hiroyuiki Sato","doi":"10.1016/j.scico.2025.103281","DOIUrl":null,"url":null,"abstract":"<div><div>System programming expects programmers to have fine control over available resources to ensure both the correctness and efficiency of the system. Programming languages designed for this type of task provide little abstraction of the underlying hardware. With greater power to interact directly with the machine comes greater responsibility for programmers to manage the hardware themselves to avoid any undefined behavior. C and C++ have been the long-standing de facto languages in this field as they offer both the programming experience of a modern language and the ability to manipulate low-level resources with the abstraction of pointers. However, this responsibility is demanding for programmers, leading to numerous bugs caused by improper resource management.</div><div>Rust is a rising system programming language aiming to combine both low-level resource manipulation and high-level resource management. The design philosophy of Rust is to make the compiler play a vital role in resource management. A set of static analysis unique to Rust are performed at compile time to ensure resources are handled correctly without runtime cost. Nevertheless, static analysis is inherently conservative and Rust addresses this by providing a feature called <em>unsafe Rust</em>, which is exempt from its strict static checks. Various unsafe operations, such as raw pointer dereferencing and foreign function calls, are only permitted within an unsafe code block. This is essential to make the language sufficiently expressive. Nonetheless, Rust's <em>unsafe block</em> only matters statically for type checking, without any runtime assurance. As a consequence, the effects of unsafe operations within an unsafe block can spread to the outside safe code and jeopardize its safety.</div><div>We present <em><u>S</u>afety <u>B</u>lock <u>D</u>ivision</em> (SBD), a completely automatic solution to isolate safe Rust from unsafe Rust. The fundamental design of SBD is its safety data-flow analysis performed on Rust intermediate representation (IR) to fully incorporate language features. This distinguishes SBD from previous works. Past designs primarily operate on LLVM IR and require manual efforts or external tools. SBD is entirely built into the Rust compiler, and thus no programmer involvement is required. We extensively evaluate SBD on popular Rust crates (libraries). Our experiments reveal that SBD incurs negligible binary size (0.31% increase on average) and runtime (a geometric mean of 7.52% increase across eight benchmarks) overhead. We also demonstrate that SBD is capable of protecting against real-world vulnerabilities.</div></div>","PeriodicalId":49561,"journal":{"name":"Science of Computer Programming","volume":"243 ","pages":"Article 103281"},"PeriodicalIF":1.5000,"publicationDate":"2025-02-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Science of Computer Programming","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167642325000206","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

System programming expects programmers to have fine control over available resources to ensure both the correctness and efficiency of the system. Programming languages designed for this type of task provide little abstraction of the underlying hardware. With greater power to interact directly with the machine comes greater responsibility for programmers to manage the hardware themselves to avoid any undefined behavior. C and C++ have been the long-standing de facto languages in this field as they offer both the programming experience of a modern language and the ability to manipulate low-level resources with the abstraction of pointers. However, this responsibility is demanding for programmers, leading to numerous bugs caused by improper resource management.

Rust is a rising system programming language aiming to combine both low-level resource manipulation and high-level resource management. The design philosophy of Rust is to make the compiler play a vital role in resource management. A set of static analysis unique to Rust are performed at compile time to ensure resources are handled correctly without runtime cost. Nevertheless, static analysis is inherently conservative and Rust addresses this by providing a feature called unsafe Rust, which is exempt from its strict static checks. Various unsafe operations, such as raw pointer dereferencing and foreign function calls, are only permitted within an unsafe code block. This is essential to make the language sufficiently expressive. Nonetheless, Rust's unsafe block only matters statically for type checking, without any runtime assurance. As a consequence, the effects of unsafe operations within an unsafe block can spread to the outside safe code and jeopardize its safety.

We present Safety Block Division (SBD), a completely automatic solution to isolate safe Rust from unsafe Rust. The fundamental design of SBD is its safety data-flow analysis performed on Rust intermediate representation (IR) to fully incorporate language features. This distinguishes SBD from previous works. Past designs primarily operate on LLVM IR and require manual efforts or external tools. SBD is entirely built into the Rust compiler, and thus no programmer involvement is required. We extensively evaluate SBD on popular Rust crates (libraries). Our experiments reveal that SBD incurs negligible binary size (0.31% increase on average) and runtime (a geometric mean of 7.52% increase across eight benchmarks) overhead. We also demonstrate that SBD is capable of protecting against real-world vulnerabilities.

查看原文本刊更多论文

系统编程要求程序员对可用资源进行精细控制，以确保系统的正确性和效率。专为此类任务设计的编程语言几乎没有对底层硬件进行抽象。随着与机器直接交互的能力增强，程序员有更大的责任自行管理硬件，以避免出现任何未定义的行为。C 和 C++ 一直是这一领域的主流语言，因为它们既能提供现代语言的编程体验，又能利用指针的抽象功能操作底层资源。Rust 是一种新兴的系统编程语言，旨在将底层资源操作和高层资源管理结合起来。Rust 的设计理念是让编译器在资源管理中发挥重要作用。在编译时，Rust 会执行一套独有的静态分析，以确保资源得到正确处理，而不会产生运行时成本。然而，静态分析本质上是保守的，Rust 通过提供一种称为不安全 Rust 的功能来解决这一问题，这种功能不受严格的静态检查的限制。各种不安全操作，如原始指针反引用和外来函数调用，只允许在不安全代码块中进行。这对于使语言具有足够的表现力至关重要。尽管如此，Rust 的不安全代码块只在类型检查中起静态作用，而没有任何运行时保证。因此，不安全代码块中不安全操作的影响可能会扩散到外部安全代码，并危及其安全性。我们提出了安全代码块划分（SBD），这是一种完全自动的解决方案，可将安全的 Rust 代码与不安全的 Rust 代码隔离开来。SBD 的基本设计是在 Rust 中间表示（IR）上进行安全数据流分析，以充分结合语言特性。这使 SBD 有别于以往的工作。以往的设计主要在 LLVM IR 上运行，需要人工或外部工具。SBD 完全内置在 Rust 编译器中，因此不需要程序员的参与。我们在流行的 Rust Crates（库）上对 SBD 进行了广泛评估。实验结果表明，SBD 产生的二进制大小（平均增加 0.31%）和运行时间（在八个基准中几何平均增加 7.52%）开销可以忽略不计。我们还证明，SBD 能够抵御现实世界中的漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Science of Computer Programming 工程技术-计算机：软件工程

CiteScore

3.80

自引率

0.00%

发文量

审稿时长

67 days

期刊介绍： Science of Computer Programming is dedicated to the distribution of research results in the areas of software systems development, use and maintenance, including the software aspects of hardware design. The journal has a wide scope ranging from the many facets of methodological foundations to the details of technical issues andthe aspects of industrial practice. The subjects of interest to SCP cover the entire spectrum of methods for the entire life cycle of software systems, including • Requirements, specification, design, validation, verification, coding, testing, maintenance, metrics and renovation of software; • Design, implementation and evaluation of programming languages; • Programming environments, development tools, visualisation and animation; • Management of the development process; • Human factors in software, software for social interaction, software for social computing; • Cyber physical systems, and software for the interaction between the physical and the machine; • Software aspects of infrastructure services, system administration, and network management.