Is unsafe an Achilles' Heel? A Comprehensive Study of Safety Requirements in Unsafe Rust Programming
Rust is an emerging, strongly-typed programming language focusing on efficiency and memory safety. With increasing projects adopting Rust, knowing how to use Unsafe Rust is crucial for Rust security. We observed that the description of safety requirements needs to be unified in Unsafe Rust programming. Current unsafe API documents in the standard library exhibited variations, including inconsistency and insufficiency. To enhance Rust security, we suggest unsafe API documents to list systematic descriptions of safety requirements for users to follow.
In this paper, we conducted the first comprehensive empirical study on safety requirements across unsafe boundaries. We studied unsafe API documents in the standard library and defined 19 safety properties (SP). We then completed the data labeling on 416 unsafe APIs while analyzing their correlation to find interpretable results. To validate the practical usability and SP coverage, we categorized existing Rust CVEs until 2023-07-08 and performed a statistical analysis of std unsafe API usage toward the crates.io ecosystem. In addition, we conducted a user survey to gain insights into four aspects from experienced Rust programmers. We finally received 50 valid responses and confirmed our classification with statistical significance.
Fri 19 AprDisplayed time zone: Lisbon change
11:00 - 12:30 | Analysis 3Research Track / Demonstrations / Software Engineering Education and Training at Almada Negreiros Chair(s): Dalal Alrajeh Imperial College London | ||
11:00 15mTalk | LibAlchemy: A Two-Layer Persistent Summary Design for Taming Third-Party Libraries in Static Bug-Finding Systems Research Track Rongxin Wu School of Informatics, Xiamen University, Yuxuan He School of Informatics, Xiamen University, Jiafeng Huang School of Informatics, Xiamen University, Chengpeng Wang The Hong Kong University of Science and Technology, Wensheng Tang The Hong Kong University of Science and Technology, Qingkai Shi Nanjing University, Xiao Xiao Ant Group, Charles Zhang The Hong Kong University of Science and Technology Pre-print | ||
11:15 15mTalk | Is unsafe an Achilles' Heel? A Comprehensive Study of Safety Requirements in Unsafe Rust Programming Research Track Mohan Cui Fudan University, Mohan Cui Fudan University, Shuran Sun Fudan University, Hui Xu Fudan University, Yangfan Zhou Fudan University | ||
11:30 15mTalk | Unveiling Hurdles in Software Engineering Education: The Role of Learning Management Systems Software Engineering Education and Training Niklas Meissner University of Stuttgart, Nadine Koch University of Stuttgart, Sandro Speth Institute of Software Engineering, University of Stuttgart, Uwe Breitenbücher Reutlingen University, Steffen Becker University of Stuttgart DOI File Attached | ||
11:45 15mTalk | Training for Security: Results from Using a SAT in the Development Pipeline of Web Apps Software Engineering Education and Training Sabato Nocera Department of Computer Science, University of Salerno, Simone Romano University of Salerno, Rita Francese University of Salerno, Giuseppe Scanniello University of Salerno | ||
12:00 7mTalk | Refinery: Graph Solver as a Service Demonstrations Kristóf Marussy Budapest University of Technology and Economics, Attila Ficsor Budapest University of Technology and Economics, Oszkár Semeráth Budapest University of Technology and Economics, Daniel Varro Linköping University / McGill University DOI Pre-print Media Attached | ||
12:07 7mTalk | (Neo4j)^ Browser: Visualizing Variable-Aware Analysis Results Demonstrations Rafael F. Toledo University of Waterloo, Joanne M. Atlee University of Waterloo, Rui Ming Xiong University of Waterloo, Mingyu Liu University of Waterloo DOI Media Attached | ||