Rust, an emerging programming language with explosive growth, provides a robust type system that enables programmers to write memory-safe and data-race free code. To allow access to a machine’s hardware and to support low-level performance optimizations, a second language, Unsafe Rust, is embedded in Rust. It contains support for operations that are difficult to statically check, such as C-style pointers for access to arbitrary memory locations and mutable global variables. When a program uses these features, the compiler is unable to statically guarantee the safety properties Rust promotes. In this work, we perform a large-scale empirical study to explore how software developers are using Unsafe Rust in real-world Rust libraries and applications. Our results indicate that software engineers use the keyword \unsafe in less than 30% of Rust libraries, but more than 75% cannot be entirely statically checked by the Rust compiler because of Unsafe Rust hidden somewhere in a library’s call chain. We conclude that although the use of the keyword unsafe is limited, the propagation of unsafeness offers a challenge to the claim of Rust as a memory-safe language. Furthermore, we recommend changes to the Rust compiler and to the central Rust repository’s interface to help Rust software developers be aware of when their Rust code is unsafe.
Thu 9 JulDisplayed time zone: (UTC) Coordinated Universal Time change
01:05 - 02:05 | P16-Security and LearningTechnical Papers / Journal First at Baekje Chair(s): Lingming Zhang The University of Texas at Dallas | ||
01:05 12mTalk | Software Visualization and Deep Transfer Learning for Effective Software Defect PredictionTechnical Technical Papers Jinyin Chen College of Information Engineering, Zhejiang University of Technology, Hangzhou 310023, China, Keke Hu College of Information Engineering, Zhejiang University of Technology, Hangzhou 310023, China, Yue Yu College of Computer, National University of Defense Technology, Changsha 410073, China, Zhuangzhi Chen College of Information Engineering, Zhejiang University of Technology, Hangzhou 310023, China, Qi Xuan Institute of Cyberspace Security, Zhejiang University of Technology, Hangzhou 310023, China, Yi Liu Institute of Process Equipment and Control Engineering, Zhejiang University of Technology, Hangzhou 310023, China, Vladimir Filkov University of California at Davis, USA | ||
01:17 8mTalk | Easy-to-Deploy API Extraction by Multi-Level Feature Embedding and Transfer LearningJ1 Journal First Suyu Ma Monash University, Zhenchang Xing Australia National University, Chunyang Chen Monash University, Cheng Chen PricewaterhouseCoopers Firm, Lizhen Qu Monash University, Guoqiang Li Shanghai Jiao Tong University | ||
01:25 12mTalk | How Does Misconfiguration of Analytic Services Compromise Mobile Privacy?Technical Technical Papers Xueling Zhang University of Texas at San Antonio, Xiaoyin Wang University of Texas at San Antonio, USA, Rocky Slavin University of Texas at San Antonio, Travis Breaux Carnegie Mellon University, Jianwei Niu University of Texas at San Antonio | ||
01:37 12mTalk | Securing UnSafe Rust Programs with XRust Technical Papers | ||
01:49 12mTalk | Is Rust Used Safely by Software Developers?Technical Technical Papers Ana Nora Evans University of Virginia, USA, Bradford Campbell University of Virginia, Mary Lou Soffa University of Virginia | ||