SafeFFI: Efficient Sanitization at the Boundary Between Safe and Unsafe Code in Rust and Mixed-Language Applications

TL;DR

SafeFFI enhances Rust's memory safety by optimizing sanitizer checks at code boundaries, significantly reducing overhead and maintaining correctness in mixed-language applications.

Contribution

SafeFFI introduces a boundary-based sanitization approach that minimizes runtime checks and avoids whole-program analysis, improving performance in Rust programs with unsafe code.

Findings

Reduces sanitizer checks by up to 98%

Achieves 2.64x compile-time overhead compared to 8.83x

Maintains detection of all memory safety violations

Abstract

Unsafe Rust code is necessary for interoperability with C/C++ libraries and implementing low-level data structures, but it can cause memory safety violations in otherwise memory-safe Rust programs. Sanitizers can catch such memory errors at runtime, but introduce many unnecessary checks even for memory accesses guaranteed safe by the Rust type system. We introduce SafeFFI, a system for optimizing memory safety instrumentation in Rust binaries such that checks occur at the boundary between unsafe and safe code, handing over the enforcement of memory safety from the sanitizer to the Rust type system. Unlike previous approaches, our design avoids expensive whole-program analysis and adds much less compile-time overhead (2.64x compared to over 8.83x). On a collection of popular Rust crates and known vulnerable Rust code, SafeFFI achieves superior performance compared to state-of-the-art systems, reducing sanitizer checks by up to 98%, while maintaining correctness and flagging all spatial and temporal memory safety violations.