TYPEPULSE: Detecting Type Confusion Bugs in Rust Programs
Hung-Mao Chen, Xu He, Shu Wang, Xiaokuan Zhang, Kun Sun
TL;DR
This paper introduces TYPEPULSE, a static analysis tool designed to detect type confusion bugs in Rust programs, addressing a gap in existing research and improving software security.
Contribution
We develop a novel static analysis approach tailored for Rust to identify type confusion bugs caused by unsafe conversions, which were previously underexplored.
Findings
Detected 71 new type confusion bugs in Rust packages
Received 32 developer confirmations and assigned CVE and RUSTSEC IDs
Outperformed existing bug reports in scope and accuracy
Abstract
Rust supports type conversions and safe Rust guarantees the security of these conversions through robust static type checking and strict ownership guidelines. However, there are instances where programmers need to use unsafe Rust for certain type conversions, especially those involving pointers. Consequently, these conversions may cause severe memory corruption problems. Despite extensive research on type confusion bugs in C/C++, studies on type confusion bugs in Rust are still lacking. Also, due to Rust's new features in the type system, existing solutions in C/C++ cannot be directly applied to Rust. In this paper, we develop a static analysis tool called TYPEPULSE to detect three main categories of type confusion bugs in Rust including misalignment, inconsistent layout, and mismatched scope. TYPEPULSE first performs a type conversion analysis to collect and determine trait bounds for…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsYeasts and Rust Fungi Studies