Unsafe's Betrayal: Abusing Unsafe Rust in Binary Reverse Engineering via Machine Learning

TL;DR

This paper introduces a machine learning-based tool to identify unsafe code in Rust binaries, aiding in reverse engineering and bug detection, and demonstrates its effectiveness in recalling memory-safety bugs and improving fuzzing efficiency.

Contribution

The paper presents textttrustspot, a novel machine learning approach for identifying unsafe Rust functions in binaries, enhancing reverse engineering and bug detection capabilities.

Findings

Recalls 92.92% of memory-safety bugs

Covers only 16.79% of binary code

Reduces fuzzing time in targeted analysis

Abstract

Memory-safety bugs introduce critical software-security issues. Rust provides memory-safe mechanisms to avoid memory-safety bugs in programming, while still allowing unsafe escape hatches via unsafe code. However, the unsafe code that enhances the usability of Rust provides clear spots for finding memory-safety bugs in Rust source code. In this paper, we claim that these unsafe spots can still be identifiable in Rust binary code via machine learning and be leveraged for finding memory-safety bugs. To support our claim, we propose the tool textttrustspot, that enables reverse engineering to learn an unsafe classifier that proposes a list of functions in Rust binaries for downstream analysis. We empirically show that the function proposals by textttrustspot can recall $92.92\%$ of memory-safety bugs, while it covers only $16.79\%$ of the entire binary code. As an application, we demonstrate that the function proposals are used in targeted fuzzing on Rust packages, which contribute to reducing the fuzzing time compared to non-targeted fuzzing.