Abstract
Type-safe languages improve application safety by eliminating whole classes of vulnerabilities–such as buffer overflows–by construction. However, this safety sometimes comes with a performance cost. As a result, many modern type-safe languages provide escape hatches that allow developers to manually bypass them. The relative value of performance to safety and the degree of performance obtained depends upon the application context, including user goals and the hardware upon which the application is to be executed. Since libraries may be used in many different contexts, library developers cannot make safety-performance trade-off decisions appropriate for all cases. Application developers can tune libraries themselves to increase safety or performance, but this requires extra effort and makes libraries less reusable. To address this problem, we present NADER, a Rust development tool that makes applications safer by automatically transforming unsafe code into equivalent safe code according to developer preferences and application context. In end-to-end system evaluations in a given context, NADER automatically reintroduces numerous library bounds checks, in many cases making application code that uses popular Rust libraries safer with no corresponding loss in performance.
Supplemental Material
- P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. 2008. Preventing Memory Error Exploits with WIT. In 2008 IEEE Symposium on Security and Privacy (sp 2008). 263–277. https://doi.org/10.1109/SP.2008.30 Google Scholar
Digital Library
- Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. 2009. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense Against Out-of-Bounds Errors. In 18th USENIX Security Symposium (USENIX Security ’09) (18th usenix security symposium (usenix security ’09) ed.). USENIX. https://www.microsoft.com/en-us/research/publication/baggy-bounds-checking-an-efficient-and-backwards-compatible-defense-against-out-of-bounds-errors/ Google Scholar
Digital Library
- Jyrki Alakuijala, Andrea Farruggia, Paolo Ferragina, Eugene Kliuchnikov, Robert Obryk, Zoltan Szabadka, and Lode Vandevenne. 2019. Brotli: A General-Purpose Data Compressor. ACM Transactions on Information Systems, 37, 1 (2019), Jan., 1–30. issn:1046-8188, 1558-2868 https://doi.org/10.1145/3231935 Google Scholar
Digital Library
- Apple. 2021. Swift Programming Language. https://swift.org/ [Online; accessed April-2021].Google Scholar
- Vytautas Astrauskas, Christoph Matheja, Federico Poli, Peter Müller, and Alexander J. Summers. 2020. How Do Programmers Use Unsafe Rust? Proc. ACM Program. Lang., 4, OOPSLA (2020), Article 136, Nov., 27 pages. https://doi.org/10.1145/3428204 Google Scholar
Digital Library
- AWS. 2021. Firecracker. https://firecracker-microvm.github.io/ [Online; accessed April-2021].Google Scholar
- BLAKE3 Team. 2021. BLAKE3. https://github.com/BLAKE3-team/BLAKE3 [Online; accessed April-2021].Google Scholar
- Rastislav Bodík, Rajiv Gupta, and Vivek Sarkar. 2000. ABCD: Eliminating Array Bounds Checks on Demand. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation (PLDI ’00). Association for Computing Machinery, New York, NY, USA. 321–333. isbn:1581131992 https://doi.org/10.1145/349299.349342 Google Scholar
Digital Library
- Cloudflare. 2021. Boring Tun. https://github.com/cloudflare/boringtun [Online; accessed April-2021].Google Scholar
- Cloudflare. 2021. quiche. https://github.com/cloudflare/quiche [Online; accessed April-2021].Google Scholar
- Charlie Curtsinger and Emery D. Berger. 2018. Coz: Finding Code That Counts with Causal Profiling. Commun. ACM, 61, 6 (2018), May, 91–99. issn:0001-0782 https://doi.org/10.1145/3205911 Google Scholar
Digital Library
- S Deorowicz. 2003. Silesia Compression Corpus. Silesian University of Technology, Poland.Google Scholar
- Dinakar Dhurjati, Sumant Kowshik, and Vikram Adve. 2006. SAFECode: Enforcing Alias Analysis for Weakly Typed Languages. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’06). Association for Computing Machinery, New York, NY, USA. 144–157. isbn:1595933204 https://doi.org/10.1145/1133981.1133999 Google Scholar
Digital Library
- Diesel Team. 2021. DIESEL: A safe, extensible ORM and Query Builder for Rust. https://github.com/diesel-rs/diesel [Online; accessed April-2021].Google Scholar
- Alan A.A. Donovan and Brian W. Kernighan. 2015. The Go Programming Language (1st ed.). Addison-Wesley Professional. isbn:0134190440 Google Scholar
Digital Library
- Dropbox. 2020. Dropbox/Rust-Brotli-Decompressor. https://github.com/google/brotliGoogle Scholar
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC ’14). Association for Computing Machinery, New York, NY, USA. 475–488. isbn:9781450332132 https://doi.org/10.1145/2663716.2663755 Google Scholar
Digital Library
- Ana Nora Evans, Bradford Campbell, and Mary Lou Soffa. 2020. Is Rust Used Safely by Software Developers? In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE ’20). Association for Computing Machinery, New York, NY, USA. 246–257. isbn:9781450371216 https://doi.org/10.1145/3377811.3380413 Google Scholar
Digital Library
- fnm Team. 2021. Fast Node Manager. https://github.com/Schniz/fnm [Online; accessed April-2021].Google Scholar
- Google. 2021. FlatBuffers. https://google.github.io/flatbuffers/ [Online; accessed April-2021].Google Scholar
- Rajiv Gupta. 1993. Optimizing Array Bound Checks Using Flow Analysis. ACM Lett. Program. Lang. Syst., 2, 1–4 (1993), March, 135–150. issn:1057-4514 https://doi.org/10.1145/176454.176507 Google Scholar
Digital Library
- Hyperium. 2021. Tonic. https://github.com/hyperium/tonic [Online; accessed April-2021].Google Scholar
- InfluxData. 2021. Flux - Influx data language. https://github.com/influxdata/flux [Online; accessed April-2021].Google Scholar
- Iron Team. 2021. Iron. https://github.com/iron/iron [Online; accessed April-2021].Google Scholar
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2017. RustBelt: Securing the foundations of the Rust programming language. Proceedings of the ACM on Programming Languages, 2, POPL (2017), 1–34. Google Scholar
Digital Library
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 40th IEEE Symposium on Security and Privacy (S&P’19).Google Scholar
- Priyadarshan Kolte and Michael Wolfe. 1995. Elimination of Redundant Array Subscript Range Checks. In Proceedings of the ACM SIGPLAN 1995 Conference on Programming Language Design and Implementation (PLDI ’95). Association for Computing Machinery, New York, NY, USA. 270–278. isbn:0897916972 https://doi.org/10.1145/207110.207160 Google Scholar
Digital Library
- Chinmay Kulkarni, Sara Moore, Mazhar Naqvi, Tian Zhang, Robert Ricci, and Ryan Stutsman. 2018. Splinter: Bare-Metal Extensions for Multi-Tenant Low-Latency Storage. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18). USENIX Association, Carlsbad, CA. 627–643. isbn:978-1-939133-08-3 https://www.usenix.org/conference/osdi18/presentation/kulkarni Google Scholar
Digital Library
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18). Google Scholar
Digital Library
- Nicholas D. Matsakis and Felix S. Klock. 2014. The Rust Language. Ada Lett., 34, 3 (2014), Oct., 103–104. issn:1094-3641 https://doi.org/10.1145/2692956.2663188 Google Scholar
Digital Library
- Frank McSherry, Michael Isard, and Derek G. Murray. 2015. Scalability! But at what COST? In 15th Workshop on Hot Topics in Operating Systems (HotOS XV). USENIX Association, Kartause Ittingen, Switzerland. https://www.usenix.org/conference/hotos15/workshop-program/presentation/mcsherry Google Scholar
Digital Library
- Mozilla. 2021. Gecko. https://developer.mozilla.org/en-US/docs/Mozilla/Gecko [Online; accessed April-2021].Google Scholar
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for c. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’09). Association for Computing Machinery, New York, NY, USA. 245–258. isbn:9781605583921 https://doi.org/10.1145/1542476.1542504 Google Scholar
Digital Library
- OpenSSL. 2021. OpenSSL. https://www.openssl.org/ [Online; accessed April-2021].Google Scholar
- Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, and Scott Shenker. 2016. NetBricks: Taking the V out of NFV. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA. 203–216. isbn:978-1-931971-33-1 https://www.usenix.org/conference/osdi16/technical-sessions/presentation/panda Google Scholar
Digital Library
- Jason R. C. Patterson. 1995. Accurate Static Branch Prediction by Value Range Propagation. In Proceedings of the ACM SIGPLAN 1995 Conference on Programming Language Design and Implementation (PLDI ’95). Association for Computing Machinery, New York, NY, USA. 67–78. isbn:0897916972 https://doi.org/10.1145/207110.207117 Google Scholar
Digital Library
- Feng Qian, Laurie Hendren, and Clark Verbrugge. 2002. A comprehensive approach to array bounds check elimination for Java. In International Conference on Compiler Construction. 325–341. Google Scholar
Digital Library
- Boqin Qin, Yilun Chen, Zeming Yu, Linhai Song, and Yiying Zhang. 2020. Understanding memory and thread safety practices and issues in real-world Rust programs. 763–779. https://doi.org/10.1145/3385412.3386036 Google Scholar
Digital Library
- rage Team. 2021. rage. https://github.com/str4d/rage [Online; accessed April-2021].Google Scholar
- Radu Rugina and Martin Rinard. 1999. Automatic Parallelization of Divide and Conquer Algorithms. In In Proceedings of the 7th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming. 72–83. Google Scholar
Digital Library
- Rust Graphics Mages. 2021. gfx. https://github.com/gfx-rs/gfx [Online; accessed April-2021].Google Scholar
- Rust Language Team. 2021. Unsafe Rust. https://doc.rust-lang.org/book/ch19-01-unsafe-rust.html. [Online; accessed April-2021].Google Scholar
- RustPython Team. 2021. RustPython. https://github.com/RustPython/RustPython [Online; accessed April-2021].Google Scholar
- Olatunji Ruwase and Monica S Lam. 2004. A Practical Dynamic Buffer Overflow Detector. In NDSS. 2004, 159–169.Google Scholar
- Servo Project Developers. 2021. Servo project. https://servo.org/ [Online; accessed April-2021].Google Scholar
- Sonic Team. 2021. Sonic. https://github.com/valeriansaliou/sonic [Online; accessed April-2021].Google Scholar
- swc Team. 2021. swc. https://github.com/swc-project/swc [Online; accessed April-2021].Google Scholar
- tantivy Team. 2021. tantivy. https://github.com/tantivy-search/tantivy [Online; accessed April-2021].Google Scholar
- David Terei, Simon Marlow, Simon Peyton Jones, and David Mazières. 2012. Safe Haskell. SIGPLAN Not., 47, 12 (2012), Sept., 137–148. issn:0362-1340 https://doi.org/10.1145/2430532.2364524 Google Scholar
Digital Library
- TiKV Project. 2021. TiKV. https://github.com/tikv/tikv [Online; accessed April-2021].Google Scholar
- Timber. 2021. Vector. https://github.com/timberio/vector [Online; accessed April-2021].Google Scholar
- J. Wagner, V. Kuznetsov, G. Candea, and J. Kinder. 2015. High System-Code Security with Low Overhead. In 2015 IEEE Symposium on Security and Privacy. 866–879. https://doi.org/10.1109/SP.2015.58 Google Scholar
Digital Library
- Warp Team. 2021. warp. https://github.com/seanmonstar/warp [Online; accessed April-2021].Google Scholar
- Wasmer. 2021. Wasmer. https://wasmer.io/ [Online; accessed April-2021].Google Scholar
- Josef Weidendorfer, Markus Kowarschik, and Carsten Trinitis. 2004. A tool suite for simulation based analysis of memory access behavior. In International Conference on Computational Science. 440–447.Google Scholar
Cross Ref
- wrk Project. 2021. wrk. https://github.com/wg/wrk [Online; accessed April-2021].Google Scholar
- Thomas Würthinger, Christian Wimmer, and Hanspeter Mössenböck. 2007. Array bounds check elimination for the Java HotSpot™ client compiler. In Proceedings of the 5th international symposium on Principles and practice of programming in Java. 125–133. Google Scholar
Digital Library
- Xu Zhao, Kirk Rodrigues, Yu Luo, Michael Stumm, Ding Yuan, and Yuanyuan Zhou. 2017. Log20: Fully Automated Optimal Placement of Log Printing Statements under Specified Overhead Threshold. In Proceedings of the 26th Symposium on Operating Systems Principles (SOSP ’17). Association for Computing Machinery, New York, NY, USA. 565–581. isbn:9781450350853 https://doi.org/10.1145/3132747.3132778 Google Scholar
Digital Library
- Zola Team. 2021. zola. https://github.com/getzola/zola [Online; accessed April-2021].Google Scholar
Index Terms
Safer at any speed: automatic context-aware safety enhancement for Rust
Recommendations
SyRust: automatic testing of Rust libraries with semantic-aware program synthesis
PLDI 2021: Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and ImplementationRust’s type system ensures the safety of Rust programs; however, programmers can side-step some of the strict typing rules by using the unsafe keyword. A common use of unsafe Rust is by libraries. Bugs in these libraries undermine the safety of the ...
Translating C to safer Rust
Rust is a relatively new programming language that targets efficient and safe systems-level applications. It includes a sophisticated type system that allows for provable memory- and thread-safety, and is explicitly designed to take the place of unsafe ...
How do programmers use unsafe rust?
Rust’s ownership type system enforces a strict discipline on how memory locations are accessed and shared. This discipline allows the compiler to statically prevent memory errors, data races, inadvertent side effects through aliasing, and other errors ...






Comments