Uncovering the Hidden Dangers: Finding Unsafe Go Code in the Wild

TL;DR

This paper investigates the prevalence of unsafe Go code in popular open-source projects, analyzes usage patterns, and introduces go-safer, a static analysis tool to detect dangerous unsafe code practices.

Contribution

It provides the first large-scale analysis of unsafe Go code usage and introduces go-safer, a novel tool for detecting unsafe patterns that could lead to vulnerabilities.

Findings

38% of top projects contain unsafe code

91% have unsafe code in project or dependencies

go-safer detects previously undetected unsafe patterns

Abstract

The Go programming language aims to provide memory and thread safety through measures such as automated memory management with garbage collection and a strict type system. However, it also offers a way of circumventing this safety net through the use of the unsafe package. While there are legitimate use cases for unsafe, developers must exercise caution to avoid introducing vulnerabilities like buffer overflows or memory corruption in general. Using go-geiger, we conducted a study on the usage of unsafe in the top 500 most popular open-source Go projects on GitHub, including a manual analysis of 1,400 code samples on how unsafe is used. From the projects using Go's module system, 38% directly contain at least one unsafe usage, and 91% contain at least one unsafe usage in the project itself or one of its transitive dependencies. Based on the usage patterns found, we present possible exploit vectors in different scenarios. Finally, we present go-safer, a novel static analysis tool to identify dangerous and common usage patterns that were previously undetected with existing tools.