Yuga: Automatically Detecting Lifetime Annotation Bugs in the Rust Language

TL;DR

Yuga is a static analysis tool designed to automatically detect lifetime annotation bugs in Rust, improving security by identifying subtle memory safety issues that existing tools often miss.

Contribution

The paper introduces Yuga, a novel multi-phase static analysis tool that effectively detects lifetime annotation bugs in Rust, supported by curated datasets and empirical validation.

Findings

Yuga achieves high precision in detecting lifetime bugs.

It outperforms existing tools in identifying subtle memory safety issues.

The curated datasets facilitate further research in Rust bug detection.

Abstract

The Rust programming language is becoming increasingly popular among systems programmers due to its efficient performance and robust memory safety guarantees. Rust employs an ownership model to ensure this guarantee by allowing each value to be owned by only one identifier at a time. Additionally, it introduces the concept of borrowing and lifetimes to enable other variables to borrow the values under certain conditions temporarily. Despite its benefits, security vulnerabilities have been reported in Rust projects, often attributed to the use of "unsafe" Rust code. These vulnerabilities, in part, arise from incorrect lifetime annotations on function signatures. However, existing tools fail to detect these bugs, primarily because such bugs are rare, challenging to detect through dynamic analysis, and require explicit memory models. To overcome these limitations, first, we characterize incorrect lifetime annotations as a source of memory safety bugs and leverage this understanding to devise a novel static analysis tool, Yuga, to detect potential lifetime annotation bugs. Yuga uses a multi-phase analysis approach, starting with a quick pattern-matching algorithm to identify potential buggy components and then conducting a flow and field-sensitive alias analysis to confirm the bugs. We also curate new datasets of lifetime annotation bugs. Yuga successfully detects bugs with good precision on these datasets, and we make the code and datasets publicly available for review.